User Guide Dell Networking W-ClearPass Policy Manager 6.
Copyright Information © 2014 Aruba Networks, Inc. Aruba Networks trademarks include the Aruba Networks logo, Aruba Networks®, Aruba Wireless Networks®, the registered Aruba the Mobile Edge Company logo, and Aruba Mobility Management System®. Dell™, the DELL™ logo, and PowerConnect™ are trademarks of Dell Inc. All rights reserved. Specifications in this manual are subject to change without notice. Originated in the USA. All other trademarks are the property of their respective owners.
Contents About Dell Networking W-ClearPass Policy Manager Common Tasks in Policy Manager 21 21 Importing 21 Exporting 22 Powering Up and Configuring Policy Manager Hardware 23 Server Port Overview 23 Server Port Configuration 23 Powering Off the System 25 Resetting the Passwords to Factory Default 26 Generating a Support Key for Technical Support 26 Policy Manager Dashboard Monitoring Live Monitoring Access Tracker 29 33 33 33 Editing the Access Tracker 35 Viewing Access Tracker Sessi
Old Data Tab 60 New Data tab 61 Inline Difference tab 62 Viewing Audit Row Details (Remove Page) Event Viewer 63 Creating an Event Viewer Report Using Default Values 64 Creating an Event Viewer Report Using Custom Values 64 Viewing Report Details 65 Data Filters Add a Filter Blacklisted Users Policy Manager Policy Model Services Paradigm 65 66 68 71 71 Viewing Existing Services 75 Adding and Removing Services 75 Links to Use Cases and Configuration Instructions 76 Policy Simulation
Enforcement Tab 102 Audit Tab 102 Profiler Tab 102 802.1X Wireless 103 Service Tab 103 Authentication Tab 103 Authorization Tab 104 Roles Tab 104 Posture Tab 104 Enforcement Tab 105 Audit Tab 105 Profiler Tab 105 802.
Service Tab 117 Authentication Tab 117 Authorization Tab 117 Roles Tab 118 Enforcement Tab 118 Dell W-Series Application Authentication Service Tab 118 Authentication Tab 119 Roles Tab 119 Enforcement Tab 119 Dell W-Series Application Authorization 119 Cisco Web Authentication Proxy 120 Service Tab 120 Authentication Tab 120 Authorization Tab 121 Roles Tab 121 Enforcement Tab 122 Audit Tab 122 Services 122 Adding Services 123 Modifying Services 126 Reordering Services
Inner Methods Tab 147 MAC-AUTH 147 MSCHAP 148 PAP 149 Adding and Modifying Authentication Sources Generic LDAP and Active Directory 149 150 General Tab 151 Primary Tab 152 Attributes Tab 155 Add More Filters 158 Browse Tab 158 Filter Tab 159 Attributes Tab 161 Configuration Tab 162 Modify Default Filters 162 Generic SQL DB 163 General Tab 163 Primary Tab 165 Attributes Tab 165 HTTP 167 General Tab 167 Primary Tab 168 Attributes Tab 169 Kerberos 170 General Tab
Additional Available Tasks 188 Configuring a Role Mapping Policy 189 Adding and Modifying Roles 189 Adding and Modifying Role Mapping Policies 190 Policy Tab 190 Mapping Rules Tab 191 Posture 195 Posture Architecture and Flow Posture Policy 195 Posture Server 195 Audit Server 195 Configuring Posture 197 Adding a Posture Policy 198 NAP Agent 198 OnGuard Agent (Persistent or Dissolvable) 199 ClearPass Mac OS X 200 ClearPass Windows Universal System Health Validator - NTP Agent 2
Profile tab 250 Role Configuration tab 250 Captive Portal Profile 251 Policer Profile: 252 QOs Profile 252 VoIP Profile 253 NetService Configuration 253 NetDestination Configuration 254 Time Range Configuration 254 ACL 255 Aruba RADIUS Enforcement 256 Profile tab 256 Attributes tab 257 Cisco Downloadable ACL Enforcement 257 Profile tab 258 Attributes tab 258 Cisco Web Authentication Enforcement 259 Profile tab 259 Attributes tab 260 ClearPass Entity Update Enforcement
SNMP Based Enforcement Profile tab 273 Attributes tab 273 TACACS+ Based Enforcement 274 Profile tab 274 Services tab 275 VLAN Enforcement 276 Profile ta 276 Attributes tab 276 Configuring Enforcement Policies Network Access Devices Adding and Modifying Devices 277 281 281 Adding a Device 281 Additional Available Tasks 285 Adding and Modifying Device Groups Additional Available Tasks Adding and Modifying Proxy Targets 285 287 287 Add a Proxy Target 288 Additional Available Tasks
Simulation tab 301 Attributes tab 303 NAS Type: Aruba Wireless Controller 304 NAS Type: Aruba Wired Switch Controller 304 NAS Type: Cisco Wireless Switch 305 Results tab 305 Role Mapping 306 Simulation tab 306 Attributes tab 307 Results tab 308 Service Categorization 309 Simulation tab 309 Attributes tab 309 Results tab 310 ClearPass Policy Manager Profile 311 Device Profile 311 Collectors 311 DHCP Sending DHCP Traffic to CPPM 312 312 ClearPass Onboard 312 HTTP User-Age
Server Configuration Editing Server Configuration Settings 328 System Tab 328 Join AD Domain 330 Add Password Server 332 Services Control Tab 332 Service Parameters Tab 333 System Monitoring Tab 343 Network Tab 345 Set Date & Time 347 Change Cluster Password 349 Manage Policy Manager Zones 350 NetEvents Targets 351 Virtual IP Settings 351 Make Subscriber 352 Upload Nessus Plugins 353 Cluster-Wide Parameters 353 Collect Logs 357 Backup 358 Restore 359 Shutdown/Reboot 36
Adding a Syslog Export Filter (General tab) 371 Adding a Syslog Export Filter (Summary tab) 372 Messaging Setup 373 Endpoint Context Servers 375 Adding an Endpoint Context Server 375 Modify an endpoint context server 375 Delete an endpoint context server 375 Adding an Air Watch Endpoint Context Server 375 Adding an Air Wave Endpoint Context Server 377 Adding an Aruba Activate Endpoint Context Server 378 Adding a Generic HTTP Endpoint Context Server 379 Adding a JAMF Endpoint Context Se
View an application dictionary 406 Delete an application dictionary 406 Endpoint Context Server Actions 406 Filter an Endpoint Context Server Action Report 407 View Details About Endpoint Context Server Actions 407 Add an Endpoint Context Server Action Item 407 Import Context Server Actions 408 Export Context Server Actions 409 OnGuard Settings 409 Software Updates 411 Install Update dialog box 413 Updating the Policy Manager Software Upgrade the Image on a Single Policy Manager Applia
431 Show Commands 432 all-timezones 432 date 432 dns 433 domain 433 hostname 433 ip 433 license 434 timezone 434 version 434 System Commands 434 boot-image 435 gen-support-key 435 install-license 435 morph-vm 436 restart 436 shutdown 436 update 436 upgrade 437 Miscellaneous Commands 437 ad auth 438 ad netjoin 438 ad netleave 439 ad testjoin 439 alias 439 backup 440 dump certchain 440 dump logs 440 dump servercert 441 exit 441 help 441
Audit Namespaces 447 Authentication Namespaces 447 Authentication namespace editing context 447 Authorization Namespaces 449 Authorization editing context 449 AD Instance Namespace 449 Authorization 449 LDAP Instance Namespace 449 RSAToken Instance Namespace 449 Sources 450 SQL Instance Namespace 450 Certificate Namespaces 450 Certificate namespace editing context 450 Connection Namespaces 451 Connection namespace editing contexts 451 Date Namespaces 452 Date namespace editin
1 (a) RADIUS server stop SNMP trap 465 1 (b) RADIUS server start SNMP trap 465 2 (a) Admin Server stop SNMP trap 466 2 (b) Admin Server start SNMP trap 466 3 (a) System Auxiliary server stop SNMP trap 466 3 (b) System Auxiliary server start SNMP trap 466 4 (a) Policy server stop SNMP trap 467 4 (b) Policy server start SNMP trap 467 5 (a) Async DB write service stop SNMP trap 467 5 (b) Async DB write service start SNMP trap 467 6 (a) DB replication service stop SNMP trap 468 6 (b) DB re
Info Events ClearPass System Configuration Events 475 Critical Events 475 Info Events 475 ClearPass Update Events 476 Critical Events 476 Info Events 476 Cluster Events 476 Critical Events 476 Info Events 476 Command Line Events Info Events DB Replication Services Events 476 476 476 Info Events 476 Licensing Events 476 Critical Events 476 Info Events 476 Policy Server Events Info Events RADIUS/TACACS+ Server Events 477 477 477 Critical Events 477 Info Events 477 SNMP Events
Supported Browsers and Java Versions Dell Networking W-ClearPass Policy Manager 6.
| Contents Dell Networking W-ClearPass Policy Manager 6.
Chapter 1 About Dell Networking W-ClearPass Policy Manager The Dell Networking W-ClearPass Policy Manager platform provides role- and device-based network access control across any wired, wireless, and VPN. Software modules for the Dell Networking W-ClearPass Policy Manager platform, such as Guest, Onboard, Profile, OnGuard, QuickConnect, and Insight simplify and automate device configuration, provisioning, profiling, health checks, and guest access.
The file you select must be an XML file in the correct format. If you've exported files from different places in Policy Manager, make sure you're selecting the correct one to be imported. The API Guide contains more information about the format and contents of XML files. 4. If the file is password protected, enter the password (secret). 5. Click Import. Exporting On most pages with lists in Dell Networking W-ClearPass Policy Manager, you can export the information about one or more items.
Chapter 2 Powering Up and Configuring Policy Manager Hardware This section provides an overview of the server ports. It also provides information on the initial Policy Manager setup using the Command Line Interface (CLI).
Table 2: Required Information Requirement Value for Your Installation Hostname (Policy Manager server) Management Port IP Address Management Port Subnet Mask Management Port Gateway Data Port IP Address (optional) NOTE: The Data Port IP Address must not be in the same subnet as the Management Port IP Address. Data Port Gateway (optional) Data Port Subnet Mask (optional) Primary DNS Secondary DNS NTP Server (optional) Perform the following steps to set up the Policy Manager appliance: 1.
Enter Management Port Subnet Mask: 255.255.255.0 Enter Management Port Gateway: 192.168.5.1 Enter Data Port IP Address: 192.168.7.55 Enter Data Port Subnet Mask: 255.255.255.0 Enter Data Port Gateway: 192.168.7.1 Enter Primary DNS: 198.168.5.3 Enter Secondary DNS: 192.168.5.1 4. Change your password Use any string of at least six characters: New Password:************ Confirm Password: ************ Going forward, you will use this password for cluster administration and management of the appliance. 5.
Resetting the Passwords to Factory Default To reset Administrator passwords in Policy Manager to factory defaults, you can login to the CLI as the apprecovery user. The password to log in as the apprecovery user is dynamically generated. Perform the following steps to generate the recovery password: 1. Connect to the Policy Manager appliance via the front serial port (using any terminal program). See "Resetting the Passwords to Factory Default" on page 26 for details. 2. Reboot the system.
2) Generate a support key 3) Generate password recovery and support keys Enter the option or press any key to quit: 5. To generate the support key, select option 2. Select 3 if you want to generate a password recovery key, as well. 6. After the password recovery key is generated, email the key to Dell technical support. A unique password can now be generated by Dell technical support to log into the support shell. Dell Networking W-ClearPass Policy Manager 6.
| Powering Up and Configuring Policy Manager Hardware Dell Networking W-ClearPass Policy Manager 6.
Chapter 3 Policy Manager Dashboard Drag and drop elements from the left pane to customize the Dashboard layout. Table 3: Dashboard Layout Parameters The graph displays all requests processed by Policy Manager over the past week. Processed requests include RADIUS, TACACS+ and WebAuth requests. The default data filter “All Requests” is used to plot this graph. Clicking on each bar in the graph drills down into the Access Tracker and shows the requests for that day. This shows a graph of the “Healthy” vs.
Table 3: Dashboard Layout Parameters (Continued) This chart shows the graph of all profiled devices categorized into built in categories – Smartdevices, Access Points, Computer, VOIP phone, Datacenter Appliance, Printer, Physical Security, Game Console, Routers, Unknown, and Conflict. Unknown devices are devices that the profiler was not able to profile. Conflict indicates a conflict in the categorization of the device.
Table 3: Dashboard Layout Parameters (Continued) This shows a table of the last few failed authentications. Clicking on a row drills down into the Access Tracker and shows failed requests sorted by timestamp with the latest request showing first. This shows a bar chart with each bar representing a Policy Manager service requests were categorized into. Clicking on a bar drills down into the Access Tracker and shows the requests that were categorized into that specific service.
Table 3: Dashboard Layout Parameters (Continued) This shows links to the Dell Insight, Guest and Onboard + WorkSpace applications that are integrated with Policy Manager. This shows the status of all nodes in the cluster. The following fields are shown for each node: l Status This shows the overall health status of the system. Green indicates healthy and red indicates connectivity problems or high CPU or memory utilization. The status also shows red when a node is out-of-sync with the rest of the cluster.
Chapter 4 Monitoring The Policy Manager Monitoring feature provides access to live monitoring of components and other functions. For more information, see: l "Live Monitoring" on page 33 l "Audit Viewer" on page 58 l "Event Viewer" on page 63 l "Data Filters" on page 65 l "Blacklisted Users" on page 68 Live Monitoring The live monitoring link provides access to six monitoring features.
Table 4: Access Tracker Page Parameters Parameter Description Current filter setting. See "Data Filters" on page 65 to modify this setting. IP address or domain name of the server. A setting of Last 1 day before Today displays information for the past 24 hours. Shows the current setting for the number of days prior to the configured date for which Access Tracker data is to be displayed. Auto Refresh Click to enable or disable automatic page refresh. Filter Select filter to constrain data display.
Editing the Access Tracker You can change the Access Tracker parameters by clicking the Edit button. Figure 5: Access Tracker Page (edit mode) Table 5: Access Tracker Edit Page (edit mode) Parameters Parameter Description Select Server/Domai n: Select the server for which to display dashboard data. Select All to display transactions from all nodes in the Policy Manager cluster. Auto Refresh: Click to enable or disable the automatic page refresh feature.
Section action is supported by all devices. Some devices support setting a session timeout, changing the VLAN for the session, applying an ACL, etc. Summary tab This tab shows a summary view of the transaction, including policies that have been applied. Figure 6: Request Details Summary tab Parameters Input tab This tab shows protocol specific attributes that Policy Manager received in the transaction request; this includes authentication and posture details (if available).
Figure 8: Output tab Parameters Alerts tab This tab is displayed if there was an error in the Login Status. For example, if you select a row in a report where the Login Status displays TIMEOUT or REJECT, an Alerts tab will be displayed. Figure 9: Alerts tab Parameters Dell Networking W-ClearPass Policy Manager 6.
Table 6: Request Details Page Control Parameters Parameter Description Change Status The button is only enabled if you use the RADIUS and WebAuth authentication types. After you click this button, the Access Control Capabilities tab opens. You can view or change the Access Control Type. Click this button to change the access control status of a session. l Agent This control is available for a session where the endpoint has the OnGuard Agent installed.
Authorizations tab This tab is only available for TACACS+ sessions. This shows the commands entered at the network device, and the authorization status. RADIUS CoA tab This tab is only available for RADIUS transactions for which a RADIUS Change of Authorization command was sent to the network device by Policy Manager. The view shows the RADIUS CoA actions sent to the network device in chronological order.
Table 7: Accounting Page (Edit Mode) Parameters (Continued) Parameter Description Select Date Range: Select the number of days prior to the configured date for which Accounting data is to be displayed. Valid number of days is 1 day to a week. Show Latest: Sets the date to Today in the previous step to Today. Select Columns: Click the right or left arrows to move data between Available Columns and Selected Columns. Click the Up or Down buttons to rearrange columns in either column.
Table 8: RADIUS Accounting Record Details Auth Sessions tab Parameters (Continued) Paramet er Time Stamp: Description When the event occurred. RADIUS Accounting Record Details (Details tab) This topic describes the parameters of the Accounting Record Details Details tab for the RADIUS Protocol.
Figure 13: RADIUS Accounting Record Details (Summary tab) Table 10: RADIUS Accounting Record Details Summary tab Parameters Param eter Description Session ID: Policy Manager session identifier (you can correlate this record with a record in Access Tracker). Account Session ID: A unique ID for this accounting record. Start and End Timesta mp: Start and end time of the session. Status: Current connection status of the session. Userna me: Username associated with this record.
Table 10: RADIUS Accounting Record Details Summary tab Parameters (Continued) Param eter Description Service Type: The value of the standard RADIUS attribute ServiceType. NAS IP Addres s: IP address of the network device. NAS Port Type: The access method - For example, Ethernet, 802.11 Wireless, etc. Calling Station ID: In most use cases supported by Policy Manager this is the MAC address of the client. Called Station ID: MAC Address of the network device.
Figure 14: RADIUS Accounting Record Details (Utilization tab) Table 11: RADIUS Accounting Record Details Utilization tab Parameters Parameter Description Active Time: How long the session was active. Account Delay Time: How many seconds the network device has been trying to send this record for (subtract from record time stamp to arrive at the time this record was actually generated by the device).
Figure 15: TACACS+ Accounting Record Details (Auth Sessions tab) Table 12: TACACS+ Accounting Record Details Auth Sessions tab Parameters Parameter Description Number of Authentication Sessions: Total number of authentications (always 1) and authorizations in this session. Authentication Sessions Details: For each request ID, denotes whether it is an authentication or authorization request, and the time at which the request was sent.
Figure 16: TACACS+ Accounting Record Details (Details tab) Table 13: TACACS+ Accounting Record Details tab Parameters Parameter Description Details tab For each authorization request, shows: cmd (command typed), priv-lvl (privilege level of the administrator executing the command), service (shell), etc. TACACS+ Accounting Record Details (Request tab) This topic describes the parameters of the Accounting Record Details Request Sessions tab for the TACACS+ Protocol.
Table 14: TACACS+ Accounting Record Request tab Parameters Parameter Description Session ID: The Session ID is a Unique ID associated with a request. User Session ID: A session ID that correlates authentication, authorization and accounting records. Start and End Timestamp: Start and end time of the session. Username: Username associated with this record. Client IP: The IP address and tty of the device interface. Remote IP: The IP address from which Admin is logged in.
Figure 18: OnGuard Activity Table 15: OnGuard Activity Parameter Description Auto Refresh Toggle auto-refresh. If this is turned on, all endpoint activities are refreshed automatically. Send Message Send a message to the selected endpoints. Bounce an Agent (non-SNMP) This page is used to initiate a bounce on the managed interface on the endpoint.
Table 16: Bounce Agents Page Parameters Parameter Description Display Message (Optional): An optional message to display on the endpoint via the OnGuard interface. Web link for more details (Optional): An optional clickable URL that is displayed along with the Display Message. Endpoint Status: No change in status - No change is made to the status of the endpoint. The existing status of Known, Unknown or Disabled continues to be applied.
Table 17: Bounce Client (Using SNMP) Page Parameters Parameter Description Client IP or MAC address Enter the Client IP or MAC address of the bounce client. Host MAC: Displays the Host MAC information. Host IP: Displays the Host IP address. Switch IP Address: Displays the Switch IP address. Switch Port: Displays the Switch port number. Description: Displays the description of the client. Status: Displays the status of the client.
Analysis and Trending The Analysis and Trending Page displays monthly, bi-weekly, weekly, daily, or 12-hourly, 6-hourly, 3-hourly or hourly quantity of requests for the subset of components included in the selected filters. The data can be aggregated by minute, hour, day or week. The list at the end of this topic shows the per-filter count for the aggregated data. Each bar corresponding to each filter in the bar graph is clickable.
Figure 23: Endpoint Profiler (view 1) Figure 24: Endpoint Profiler (view 2) Click a device in the table below the graphs to view endpoint details about a specific device. Select the Cancel button to return to the Endpoint Profiler page. 52 | Monitoring Dell Networking W-ClearPass Policy Manager 6.
Figure 25: Endpoint Profiler Details System Monitor The System Monitor page has four tabs. Each tab provides one or more charts or graphs that gives real-time information about various components. Click the Update Now! button to refresh the information. System Monitor tab - Displays charts and graphs that include information about CPU load and usage, memory usage, and disk usage. Process Monitor tab - Displays reports about a selected process.
l "Process Monitor tab" on page 56 l "Network tab" on page 57 l "ClearPass tab" on page 58 Figure 26: System Monitor Page System Monitor tab The system monitor tab displays information about component usage and load.
Figure 28: CPU Load Graph Example Monitoring Memory Usage This graph shows the percentage of free and total memory in Gigabytes. Figure 29: Memory Usage Graph Example Monitoring Swap Memory Usage This graph shows the percentage of free and total swap memory in Gigabytes. Figure 30: Used and Free Memory Graph Example Dell Networking W-ClearPass Policy Manager 6.
Monitoring Disk - / Usage This chart shows the percentage of used and free disk space. Figure 31: Used and Free Disk Space Graph Example Monitoring Disk Swap Usage The Disk - Swap Usage chart shows the used and total swap space. Figure 32: Used and Free Disk Swap Chart Example Process Monitor tab Click this tab to view graphs that show data about CPU Usage and Main Memory Usage on the selected process or service.
Figure 33: Process Monitor tab Page Example Monitoring Main Memory Usage This graph shows the main memory usage in time and Kilobytes. Figure 34: Main Memory Usage Graph Example Network tab Select the Network tab to view network activity charts and graphs about the following components: l OnGuard l Database l Web Traffic l RADIUS l TACACS l SSH l NTP Dell Networking W-ClearPass Policy Manager 6.
Figure 35: Network Monitor Tab Graph Example (Web Traffic) ClearPass tab ClearPass can plot graphs based on the performance monitoring counters and timers for the following components: l Service Categorization l Authentication l Authorization l Role Mapping l Posture Evaluation l Enforcement l End to End request processing for Radius, Tacacs and WebAuth based requests. These components are actively monitored and the ClearPass tab displays the past 30 minutes of the monitored data.
Figure 37: Audit Viewer Page Table 19: Audit Viewer Page Parameters Parameter Description Select Filter Select the filter by which to constrain the display of audit data. Show records Show 10, 20, 50 or 100 rows. After being selected, this setting is saved and available in subsequent logins. Viewing Audit Row Details (Add Page) If you click a row on the main page where the Action was ADD, an Audit Row Details page opens. The page gives details that are specific to the Action category.
Figure 39: Audit Row Details Page Example 2 (Virtual IP Server Added) Viewing Audit Row Details (Modify Page) If you click a row on the main page where the Action was MODIFY, an Audit Row Details page opens. The Audit Row Details page for the MODIFY category has three tabs. Old Data Tab The top section of the old data tab is a summary of details about the original data values. The bottom section shows data about the original attributes and values.
Figure 41: Old Data tab Attributes Section New Data tab The top section of the old data tab is a summary of details about the original data values. The top section is a summary of the new data values, such as User ID, Password and Guest Type. The bottom section displays new and changed Attributes. The figures show a MODIFY action that was taken in the category Guest User. Figure 42: New Data tab Dell Networking W-ClearPass Policy Manager 6.
Figure 43: New Data tab Attributes Section Inline Difference tab This tab is a summary of the difference(s) between the old and new data. The example shows the modification made to the value on Line 20 of the Old Data Attribute named airgroup_shared_time. Modifications are highlighted in yellow. Additions are highlighted in green. Deletions are highlighted in red. A green arrow indicates that the value was moved up, and a red arrow indicates the value was moved down.
Figure 45: Audit Row Details (Remove Page) Event Viewer The Event Viewer page provides reports about system-level events. For more information, see: l "Creating an Event Viewer Report Using Default Values" on page 64 l "Creating an Event Viewer Report Using Custom Values" on page 64 l "Viewing Report Details" on page 65 Figure 46: Event Viewer Report Page (Default Values) Dell Networking W-ClearPass Policy Manager 6.
Table 20: Event Viewer Report Page Parameters (Default Values) Parameter Description Select Server Shows the name and IP address of the server you are logged into. Click to select a new server. Filter Select a topic to filter for. The options are: Source l Level l Category l Action l Description l Go Click to create the report. Clear Filter Click to restore the default filter settings. Click to add up to four filter fields.
9. Change the Show records value to 20. 10. Click Go. Figure 47: Event Viewer Report Example (Custom Values) Viewing Report Details Click a row in the Event View report to display System Event Details.
For more information, see "Add a Filter " on page 66. Figure 49: Data Filters Page Table 21: Data Filters Page Parameters Parameter Description Add Filter Click to open the Add Filter wizard. Import Filters Click to open the Import Filters popup. Export Filters Click to open the Export Filters popup. This exports all configured filters. Copy Copy the selected filters. Export Click to open the Export popup to export selected reports. Delete Click to delete the selected filters.
Table 22: Add Filter (Filter tab) Parameter Description Name/Description Name and description of the filter (freeform). Configuration Type Choose one of the following configuration types: l Specify Custom SQL - Selecting this option allows you to specify a custom SQL entry for the filter. If this is specified, then the Rules tab disappears, and a SQL template displays in the Custom SQL field. NOTE: Selecting this option is not recommended.
Figure 52: Add Filter (Rules tab) - Rules Editor Table 24: Add Filter (Rules tab) Parameter Description Matches ANY matches one of the configured conditions. ALL indicates to match all of the configured conditions. Type This indicates the namespace for the attribute. l Common - These are attributes common to RADIUS, TACACS, and WebAuth requests and responses. l RADIUS - Attributes associated with RADIUS authentication and accounting requests and responses.
Figure 53: Monitoring Blacklisted Users Dell Networking W-ClearPass Policy Manager 6.
| Monitoring Dell Networking W-ClearPass Policy Manager 6.
Chapter 5 Policy Manager Policy Model From the point of view of network devices or other entities that need authentication and authorization services, Policy Manager appears as a RADIUS, TACACS+ or HTTP/S based Authentication server; however, its rich and extensible policy model allows it to broker security functions across a range of existing network infrastructure, identity stores, health/posture services and client technologies within the Enterprise.
Figure 54: Generic Policy Manager Service Flow of Control 72 | Policy Manager Policy Model Dell Networking W-ClearPass Policy Manager 6.
Table 25: Policy Manager Service Components Component Service: component ratio Description A - Authentication Method Zero or more per service EAP or non-EAP method for client authentication. Policy Manager supports four broad classes of authentication methods: l l l l EAP, tunneled: PEAP, EAP-FAST, or EAP-TTLS. EAP, non-tunneled: EAP-TLS or EAP-MD5. Non-EAP, non-tunneled: CHAP, MS-CHAP, PAP, or MAC-AUTH. MAC_AUTH must be used exclusively in a MACbased Authentication Service.
Table 25: Policy Manager Service Components (Continued) Component Service: component ratio Description C - Role Mapping Policy Zero or one per service Policy Manager evaluates Requests against Role Mapping Policy rules to match Clients to Role(s). All rules are evaluated and Policy Manager may return more than one Role. If no rules match, the request takes the configured Default Role.
Viewing Existing Services You can view all configured services in a list or drill down into individual services: In the menu panel, click Services to view a list of services that you can filter by phrase or sort by order. Figure 55: List of services with sorting tool In the Services page, click the name of a Service to display its details.
Figure 57: Disable/Enable toggle for a Policy Manager Service Links to Use Cases and Configuration Instructions For each of a Service’s policy components that you can configure, the following table references an illustrative Use Case and detailed Configuration Instructions. Table 26: Policy Component Use Cases and Configuration Instructions Policy Component Service Configuration Instructions Illustrative Use Cases l l l l "802.
Table 26: Policy Component Use Cases and Configuration Instructions (Continued) Policy Component Illustrative Use Cases Role Mapping "802.1X Wireless Use Case" on page 479 has an explicit Role Mapping Policy that tests request attributes against a set of rules to assign a role.
deployment. The Policy Simulation utility applies a set of request parameters as input against a given policy component and displays the outcome, at: Configuration > Policy Simulation. The following types of simulations are supported: l Service Categorization - A service categorization simulation allows you to specify a set of attributes in the RADIUS or Connection namespace and test which configured service the request will be categorized into.
Table 27: Policy Simulation Page Parameters (Continued) Parameter Description Copy Make a copy the selected policy simulation. The copied simulation is renamed with a prefix of Copy_Of_. Export Opens the Export popup. Delete Click to delete a selected (check box on left) Policy Simulation. Adding Simulation Test Navigate to Configuration > Policy Simulation and click on the Add Simulation link. Depending on the simulation type selected the contents of the Simulation tab changes.
Table 28: Add Policy Simulation (Simulation tab) (Continued) Parameter Type Role Mapping. Description l Input (Simulation tab): Select Service (Role Mapping Policy is implicitly selected, because there is only one such policy associated with a service), Authentication Source, User Name, and Date/Time. l Input (Attributes tab): Use the Rules Editor to create a request with the attributes you want to test. All namespaces relevant for role mapping policies are loaded in the attributes editor.
Table 28: Add Policy Simulation (Simulation tab) (Continued) Parameter Type Audit. Description l Input (Simulation tab): Select the Audit Server and host to be Audited (IP address or hostname) Returns (Results tab): Summary Posture Status, Audit Attributes and Status NOTE: Audit simulations can take a while; an AuditInProgress status is shown until the audit completes. l Dell Networking W-ClearPass Policy Manager 6.
Table 28: Add Policy Simulation (Simulation tab) (Continued) Parameter Type Enforcement Policy. Description l Input (Simulation tab): Select Service (Enforcement Policy is implicit by its association with the Service), Authentication Source (optional), User Name (optional), Roles, Dynamic Roles (optional), System Posture Status, and Date/Time (optional). Input (Attributes tab): Use the Rules Editor to create a request with the attributes you want to test.
Table 28: Add Policy Simulation (Simulation tab) (Continued) Parameter Type Chained Simulations. Description l Input (Simulation tab): Select Service, Authentication Source, User Name, and Date/Time. l Input (Attributes tab): Use the Rules Editor to create a request with the attributes you want to test. All namespaces that are relevant in the Role Mapping Policy context are loaded in the attributes editor. Returns (Results tab): Role(s), Post Status, Enforcement Profiles and Status Messages.
Figure 59: Add Simulation (Attributes Tab) In the Results tab, Policy Manager displays the outcome of applying the test request parameters against the specified policy component(s). What is shown in the results tab again depends on the type of simulation. Figure 60: Add Simulation (Results Tab) Import and Export Simulations Navigate to Configuration > Policy Simulation and select the Import Simulations link.
Table 29: Import Simulations Parameter Description Select file Browse to select name of simulations import file. Import/Cancel Import to commit or Cancel to dismiss popup. Export Simulations Click the Export Simulations link. This task exports all simulations. Your browser will display its normal Save As dialog, in which to enter the name of the XML file to contain the export. Export To export one simulation, click Export.
| Policy Manager Policy Model Dell Networking W-ClearPass Policy Manager 6.
Chapter 6 Services The Policy Manager policy model groups policy components that serve a particular type of request into Services, which sit at the top of the policy hierarchy.
l "Aruba Auto Sign-On" on page 91 l "ClearPass Admin Access" on page 92 l "ClearPass Admin SSO Login (SAML SP Service)" on page 92 l "ClearPass Identity Provider (SAML IdP Service)" on page 93 l "EDUROAM Service" on page 93 l "Guest Access Web Login" on page 95 l "Guest Access" on page 95 l "Guest MAC Authentication" on page 96 l "Onboard" on page 97 l "WorkSpace Authentication" on page 98 Figure 62: Service Templates page (partial view) 802.
Table 30: 802.1X Wired, 802.1X Wireless, and Dell 802.1X Wireless Service Template Parameters (Continued) Parameter Description Description Enter a description that will help you identify the characteristics of this template. Server Enter the hostname or the IP address of the Active Directory server. Identity Enter the Distinguished Name of the administrator account. NETBIOS Enter the server Active Directory domain name.
Table 31: Dell VPN Access with Posture Checks Service Template Parameters Parameter Description Name Prefix Enter an optional prefix that will be prepended to services using this template. Use this to identify services that use templates. Authentication AD Name Enter your active directory name. Description Enter a description that will help you identify the characteristics of this template. Server Enter the hostname or the IP address of the Active Directory server.
Aruba Auto Sign-On This application service template allows access to SAML-based, single-sign-on-enabled applications (such as Policy Manager, Guest, and Insight) using Aruba controllers for network authentication. Table 32: ClearPass Aruba Auto Sign-On Service Template Parameters Parameter Description Name Prefix Enter an optional prefix that will be prepended to services using this template. Use this to identify services that use templates.
ClearPass Admin Access This template is designed for services that authenticate users against Active Directory (AD) and use AD attributes to determine appropriate privilege levels for Dell Networking W-ClearPass Policy Manager admin access. Table 33: ClearPass Admin Access Service Template Parameters Parameter Description Name Prefix Enter an optional prefix that will be prepended to services using this template. Use this to identify services that use templates.
Parameter Description Service Rule Application Select the application that single-sign-on-authenticated administrative users will be able to access. ClearPass Identity Provider (SAML IdP Service) This template is designed for services that act as an Identity Provider (IdP). This IdP feature provides a way for the layer-2 device, RADIUS server, and Security Asserting Markup Language (SAML) IdP to work together to deliver application-based single sign-on using network authentication information.
Table 36: EDUROAM Service Template Parameters Parameter Description Name Prefix Enter an optional prefix that will be prepended to services using this template. Use this to identify services that use templates. Service Rule Service Rule Enter domain details Enter the domain name of the network. Select Vendor Select the vendor of the network device. Authentication AD Name Enter the hostname or the IP address of the Active Directory server.
Table 36: EDUROAM Service Template Parameters (Continued) Parameter Description IP Address The IP address of the federation RADIUS server. Vendor Name Select the manufacturer of the wireless controller. RADIUS Shared Secret Enter the shared secret that is configured on the controller and inside Policy Manager to send and receive RADIUS requests. Enable RADIUS CoA Select to enable Radius - Initiated Change of Authorization on the network device.
Table 38: Guest Access Service Template Parameters Parameter Description Name Prefix Enter an optional prefix that will be prepended to services using this template. Use this to identify services that use templates. Wireless Network Settings Wireless SSID for Guest access Enter the SSID value here. Wireless controller name The name given to the Wireless Controller. Controller IP Address The wireless controller's IP address. Vendor Name Select the manufacturer of the wireless controller.
Table 39: Guest MAC Authentication Service Template Parameters. (Continued) Parameter Description Wireless SSID for Guest access Enter the SSID name of your network. Wireless controller name The name given to the Wireless Controller. Controller IP Address The wireless controller's IP address. Vendor Name Select the manufacturer of the wireless controller.
Table 40: Onboard Authorization Service Template Parameters Parameter Description Name Prefix Enter an optional prefix that will be prepended to services using this template. Use this to identify services that use templates. Wireless Network Settings Wireless controller name The name given to the Wireless Controller. Controller IP Address The wireless controller's IP address. Vendor Name Select the manufacturer of the wireless controller.
Table 41: WorkSpace Authorization Service Template Parameters (Continued) Parameter Description Identity Enter the Distinguished Name of the administrator account. NETBIOS Enter the server Active Directory domain name. Base DN Enter the Distinguished Name of the administrator account. Password Enter the account password. Port Enter the TCP port where the server is listening for connection. Device Access Restrictions Days allowed for access Select the days on which access is allowed.
deployment. This service by default includes a rule that specifies that a Dell ESSID exists. The default, configuration tabs are Service, Authentication, Roles, and Enforcement. You can also select Authorization, Posture Compliance, Audit End Hosts, and Profile Endpoints in the More Options section to access those configuration tabs. Figure 63: Dell 802.1X Wireless Service Service Tab The Service tab includes basic information about the service including: Name, Description, and Service Type.
For both Authentication Methods and Authentication Sources, you can select one item in the list and use the buttons on the right to: l Move it up or down The order of authentication matters. When a client tries to do 802.1X authentication, Policy Manager proposes the first authentication method configured. The client can accept the authentication method proposed by Policy Manager and continue authentication or send a NAK and propose a different authentication method.
through a dissolvable agent. You can also choose to Enable auto-remediation of non-compliant end-hosts and enter the Remediation URL of a server resource that can perform remediation action (when a client is quarantined). When you configure posture policies, only those that are configured for the OnGuard Agent are shown in a list of posture policies.
802.1X Wireless Configure the 802.1X Wireless service for wireless clients connecting through an 802.11 wireless access device or controller with authentication via IEEE 802.1X. The default configuration tabs are: Service, Authentication, Roles, and Enforcement. You can also select Authorization, Posture Compliance, Audit End Hosts, and Profile Endpoints in the More Options section to access those configuration tabs. Figure 64: 802.
For both Authentication Methods and Authentication Sources, you can select one item in the list and use the buttons on the right to: l Move it up or down The order of authentication matters. When a client tries to do 802.1X authentication, Policy Manager proposes the first authentication method configured. The client can accept the authentication method proposed by Policy Manager and continue authentication or send a NAK and propose a different authentication method.
through a dissolvable agent. You can also choose to Enable auto-remediation of non-compliant end-hosts and enter the Remediation URL of a server resource that can perform remediation action (when a client is quarantined). When you configure posture policies, only those that are configured for the OnGuard Agent are shown in a list of posture policies.
Except for the NAS-Port-Type service rule value (which is Ethernet for 802.1X Wired and Wireless 802.11 for 802.1X Wireless), configuration for the rest of the tabs is similar to the 802.1X Wireless Service. See "802.1X Wireless" on page 103 for details. Figure 65: 802.1X Wired Service MAC Authentication MAC-based authentication service, for clients without an 802.1X supplicant or a posture agent (printers, other embedded devices, and computers owned by guests or contractors).
Authentication Tab The Authentication tab contains options for configuring authentication methods and sources. The default Authentication method used for this type of service is [MAC AUTH], which is a special type of method called MACAUTH. When this authentication method is selected, Policy Manager does stricter checking of the MAC Address of the client.
l Modify it. For more information on configuring authorization sources, see "Adding and Modifying Authentication Methods" on page 131. Roles Tab To associate a role mapping policy with this service click on the Roles tab. For information on configuring role mapping policies, see "Configuring a Role Mapping Policy" on page 189. Enforcement Tab The Enforcement tab is where you select an enforcement policy for a service. You must select one.
Web-based Authentication Configure this service for guests or agentless hosts that connect via the Dell built-in Portal. The user is redirected to the Dell captive portal by the network device or by a DNS server that is set up to redirect traffic on a subnet to a specific URL. The Web page collects username and password, and also optionally collects health information (on Windows 7, Windows Vista, Windows XP, Windows Server 2008, Windows Server 2003, and popular Linux systems).
Select Strip Username Rules to, optionally, pre-process the user name (to remove prefixes and suffixes) before authenticating and authorizing against the authentication source. There is no authentication method associated with this type of service. Authentication methods are only relevant for RADIUS requests. Authorization Tab The Authorization tab is not visible by default. To access it, select the Authorization check box on the Services tab.
Web-based Health Check Only This type of service is the same as the Web-based Authentication service, except that there is no authentication performed; only health checking is done. There is an internal service rule (Connection:Protocol EQUALS WebAuth) that categorizes requests into this type of service. There is also an external service rule that is automatically added when you select this type of service: Host:CheckType EQUALS Health.
802.1X Wireless - Identity Only Configuration for this type of service is the same as regular 802.1X Wireless Service, except that posture and audit policies are not configurable when you use this template. Refer to "802.1X Wireless" on page 103 for more information. Figure 70: 802.1X Wireless - Identity Only Service 802.1X Wired - Identity Only Configure this service for clients connecting through an Ethernet LAN, with authentication via IEEE 802.1X. Configuration for the 802.
There are no default rules associated with this service type. Rules can be added to handle any type of standard or vendor-specific RADIUS attributes (any attribute that is loaded through the pre-packaged vendor-specific or standard RADIUS dictionaries, or through other dictionaries imported into Policy Manager. Figure 72: RADIUS Enforcement (Generic) Service Service Tab The Service tab includes basic information about the service including: Name, Description, and Service Type.
Select Strip Username Rules to pre-process the user name (to remove prefixes and suffixes) before authenticating and authorizing against the authentication source. Authorization Tab The Authorization tab is not visible by default. To access it, select the Authorization check box on the Services tab. The Authorization tab is where you select authorization sources for this service.
l Select an Audit Server - either built-in or customized. See "Configuring Audit Servers" on page 233 for audit server configuration steps. l Select an Audit Trigger Condition: n Always n When posture is not available n For MAC authentication requests. If you select this, then select also one of: n For known end-hosts only n For unknown end hosts only n For all end hosts Known end hosts are defined as those clients that are found in the authentication source(s) associated with this service.
Figure 73: RADIUS Proxy Service RADIUS Authorization Configure this service type for services that perform authorization using RADIUS. When selected, the Authorization tab is enabled by default. Configuration for this service is the same as RADIUS Enforcement (Generic), except that you do not configure Authentication or Posture with this service type. Refer to "RADIUS Enforcement (Generic)" on page 112 for more information.
Figure 75: TACACS+ Enforcement Service Service Tab The Service tab includes basic information about the service including: Name, Description, and Service Type. When adding a service, enter a Name and Description that will help you know what the service does without looking at its details. The Service Type defines what can be configured. Select the Monitor Mode check box to exclude enforcement. Select any of the More Options check boxes to access that category of configuration options.
The Authorization tab is where you select authorization sources for this service. Policy Manager fetches role mapping attributes from the authorization sources associated with the service, regardless of which authentication source was used to authenticate the user. For a given service, role mapping attributes are fetched from the following authorization sources: l The authorization sources associated with the authentication source. l The authorization sources associated with the service.
Select the Monitor Mode check box to exclude enforcement. Select any of the More Options check boxes to access that category of configuration options. Service Rules define a set of criteria that supplicants must match to trigger the service. Some service templates have one or more rules pre-defined. Click on a service rule to modify any of its options. Authentication Tab The Authentication tab contains options for configuring authentication sources.
Figure 77: Dell W-Series Application Authorization Cisco Web Authentication Proxy This service is a Web-based authentication service for guests or agentless hosts. The Cisco switch hosts a captive portal, and the portal Web page collects username and password information. The switch then sends a RADIUS request in the form of a PAP authentication request to Policy Manager. By default, this service uses the PAP Authentication Method.
l Authentication Methods: The authentication methods used for this service depend on the authentication methods you choose to deploy. Policy Manager automatically selects the appropriate method for authentication when a user attempts to connect. In this case, PAP is selected by default. l Authentication Sources: The Authentication Sources used for this type of service.
Enforcement Tab The Enforcement tab is where you select an enforcement policy for a service. You must select one. See "Configuring Enforcement Policies" on page 277 for more information. Audit Tab By default, this type of service does not have Audit checking enabled and the Audit tab is not visible. To access it and enable posture checking for this service select the Audit End-hosts check box on the Service tab. l Select an Audit Server - either built-in or customized.
Figure 79: Service Listing Page Table 42: Services page Parameter Description Add Service: Add a service. Import Services: Import previously exported services. Export Service: Export all currently defined services, including all associated policies. Filter: Filter the service listing by specifying values for different listing fields: Name l Type l Template l Status l Status: The status displays in the last column of the table. A green/red icon indicates enabled/disabled state.
Figure 80: Add Service Page (all options enabled) The Add Service tab includes the following fields. Table 43: Service Page (General Parameters) Label Description Type Select the desired service type from the drop-down list. When working with service rules, you can select from the following namespace dictionaries: l Application: The type of application for this service. l Authentication: The Authentication method to be used for this service.
Table 43: Service Page (General Parameters) (Continued) Label Description Monitor Mode Optionally check the Enable to monitor network access without enforcement to allow authentication and health validation exchanges to take place between endpoint and Policy Manager, but without enforcement. In monitor mode, no enforcement profiles (and associated attributes) are sent to the network device.
Modifying Services Navigate to the Configuration > Services page to view available services. You can use these service types as configured, or you can edit their settings. Figure 81: Service Listing Page To modify an existing service, click on its name in the Configuration > Services page. This opens the Services > Edit - form. Select the Service tab on this form to edit the service information. Figure 82: Services Configuration The following fields are available on the Service tab.
Table 44: Service Page (General Parameters) (Continued) Parameter Description More Options Select the available check box(es) to view additional configuration tab(s). The options that are available depend on the type of service currently being modified. TACACS+ Service, for example, allows for authorization configuration. RADIUS Service allows for configuration of posture compliance, end hosts, profile endpoints, and authorization.
Reordering Services Policy Manager evaluates requests against the service rules of each service that is configured, in the order in which these services are defined. The service associated with the first matching service rule is then associated with this request. To change the order in which service rules are processed, you can change the order of services. 1. To reorder services, navigate to the Configuration > Services page. 2.
Chapter 7 Authentication and Authorization As the first step in Service-based processing, Policy Manager uses an Authentication Method to authenticate the user or device against an Authentication Source. After the user or device is authenticated, Policy Manager fetches attributes for role mapping policies from the Authorization Sources associated with this Authentication Source.
After Policy Manager successfully authenticates the user or device against an authentication source, it retrieves role mapping attributes from each of the authorization sources configured for that authentication source. It also, optionally, can retrieve attributes from authorization sources configured for the Service.
Figure 86: Authentication Components From the Authentication tab of a service, you can configure three features of authentication: Table 47: Authentication Features at the Service Level Component Configuration Steps Sequence of Authentication Methods 1. Select a Method, then select Move Up, Move Down, or Remove. 2. Select View Details to view the details of the selected method. 3. Select Modify to modify the selected authentication method.
In tunneled EAP methods, authentication and posture credential exchanges occur inside of a protected outer tunnel.
l "EAP-TLS" on page 144 l "EAP-TTLS" on page 146 l "MAC-AUTH" on page 147 l "MSCHAP" on page 148 l "PAP" on page 149 Figure 87: Add Authentication Method dialog box Authorize This is an authorization-only method that you can add with a custom name. Dell Networking W-ClearPass Policy Manager 6.
Figure 88: Add Authentication General tab Table 49: Add Authentication General Tab Parameters Parameter Description Name/Description: Freeform label and description. Type: In this context, always Authorize. CHAP and EAP-MD5 Policy Manager is preconfigured with CHAP and EAP-MD5 authentication methods, You can add CHAP and EAPMD5 methods, and associate the new methods with a Service. 134 | Authentication and Authorization Dell Networking W-ClearPass Policy Manager 6.
Figure 89: Add Authentication Method CHAP General tab Figure 90: Add Authentication Method EAP-MD5 General tab Dell Networking W-ClearPass Policy Manager 6.
Table 50: Add Authentication Methods for CHAP and EAP-MD5 General tab Parameters Parameter Description Name/Description Freeform label and description. Type In this context, always CHAP or EAP-MD5. EAP-FAST The EAP-FAST method contains four tabs: General, Inner Methods, PACs, PAC Provisioning. The PACs and PAC Provisioning tabs are only available when Using PACs is specified on the General tab for the EndHost Authentication setting.
Table 51: EAP_FAST General tab Parameters (Continued) Parameter Description Session Resumption Caches EAP-FAST sessions on Policy Manager for reuse if the user/end-host reconnects to Policy Manager within the session timeout interval. Session Timeout Caches EAP-FAST sessions on Policy Manager for reuse if the user/end-host reconnects to Policy Manager within the session timeout interval. If session timeout value is set to 0, the cached sessions are not purged.
Figure 92: Add Authentication Inner Methods tab To append an inner method to the displayed list, select it from the drop-down list, then click Add. The list can contain multiple inner methods, which Policy Manager will send, in priority order, until negotiation succeeds. To remove an inner method from the displayed list, select the method and click Remove. To set an inner method as the default (the method tried first), select it and click Default.
Figure 93: EAP_FAST PACs Tab To provision a Tunnel PAC on the end-host after initial successful machine authentication, specify the Tunnel PAC Expire Time (the time until the PAC expires and must be replaced by automatic or manual provisioning) in hours, days, weeks, months, or years. During authentication, Policy Manager can use the Tunnel PAC shared secret to create the outer EAP-FAST tunnel.
Figure 94: EAP_FAST PAC Provisioning tab Table 52: EAP_FAST PAC Provisioning tab Parameters Parameter Description Considerations Allow Anonymous Mode When in anonymous mode, phase 0 of EAP_ FAST provisioning establishes an outer tunnel without end-host/Policy Manager authentication (not as secure as the authenticated mode).
Table 52: EAP_FAST PAC Provisioning tab Parameters (Continued) Parameter Description Accept endhost after authenticated provisioning After the authenticated provisioning mode is complete and the end-host is provisioned with a PAC, Policy Manager rejects end-host authentication; the end-host subsequently reauthenticates using the newly provisioned PAC. When enabled, Policy Manager accepts the end-host authentication in the provisioning mode itself; the end-host does not have to reauthenticate.
Table 53: EAP-GTC General Tab Parameter Description Name/Description Freeform label and description. Type In this context, always EAP-GTC. Challenge Specify an optional password. EAP-MSCHAPv2 The EAP-MSCHAPv2 method contains one tab: General. This tab labels the method and defines session details. Figure 96: EAP-MSCHAPv2 General Tab Table 54: EAP-MSCHAPv2 General Tab Parameter Description Name/Description Freeform label and description. Type In this context, always EAP-MSCHAPv2.
Figure 97: EAP-PEAP General Tab Table 55: EAP-PEAP General Tab Parameter Description Name/Description Freeform label and description. Type In this context, always EAP-PEAP. Session Resumption Caches EAP-PEAP sessions on Policy Manager for reuse if the user/client reconnects to Policy Manager within the session timeout interval. Session Timeout Caches EAP-PEAP sessions on Policy Manager for reuse if the user/client reconnects to Policy Manager within the session timeout interval.
Figure 98: EAP-PEAP Inner Methods Tab Select any method available in the current context from the drop-down list. Additional functions available in this tab include: l To append an inner method to the displayed list, select it from the drop-down list, then click Add. The list can contain multiple inner methods, which Policy Manager will send, in priority order, until negotiation succeeds. l To remove an inner method from the displayed list, select the method and click Remove.
Figure 99: EAP-TLS General Tab Table 56: EAP-TLS General Tab Parameter Description Name/Description Freeform label and description. Type In this context, always EAP_TLS. Session Resumption Caches EAP-TLS sessions on Policy Manager for reuse if the user/client reconnects to Policy Manager within the session timeout interval. Session Timeout How long (in hours) to retain cached EAP-TLS sessions. Authorization Required Specify whether to perform an authorization check.
Table 56: EAP-TLS General Tab (Continued) Parameter Description Verify Certificate using OCSP Select Optional or Required if the certificate should be verified by the Online Certificate Status Protocol (OCSP). Select None to not verify the certificate. Override OCSP URL from the Client Select this option if you want to use a different URL for OCSP. After this is enabled, you can enter a new URL in the OCSP URL field.
Table 57: EAP-TTLS General Tab (Continued) Parameter Description Session Resumption Caches EAP-TTLS sessions on Policy Manager for reuse if the user/client reconnects to Policy Manager within the session timeout interval. Session Timeout How long (in hours) to retain cached EAP-TTLS sessions. Inner Methods Tab The Inner Methods tab controls the inner authentication methods for the EAP-TTLS method: Figure 101: EAP_TTLS Inner Methods Tab Select any method available from the drop-down list.
Figure 102: MAC-AUTH General Tab Table 58: MAC-Auth General Tab Parameter Description Name/Description Freeform label and description. Type In this context, always MAC-AUTH. Allow Unknown End-Hosts Enables further policy processing of MAC authentication requests of unknown clients. If this is not enabled, Policy Manager automatically rejects a request whose MAC address is not in a configured authentication source.
PAP The PAP method contains one tab: General. This tab labels the method and defines session details. From this tab, you also specify the PAP encryption scheme. Figure 104: PAP General Tab Table 60: PAP General Tab Parameter Description Name/Description Freeform label and description. Type In this context, always PAP. Encryption Scheme Select the PAP authentication encryption scheme. Supported schemes are: Clear, Crypt, MD5, SHA1 and Aruba-SSO.
l "Okta" on page 172 l "Static Host List" on page 175 l "Token Server" on page 177 Figure 105: Authentication Sources Listing Page After you click Add Authentication Source from any of these locations, Policy Manager displays the Add page. Depending on the Authentication Source selected, different tabs and fields appear.
l "General Tab" on page 151 l "Primary Tab" on page 152 l "Attributes Tab" on page 155 General Tab The General tab labels the authentication source and defines session details. Figure 107: Generic LDAP or Active Directory (General Tab) Table 61: Generic LDAP or Active Directory (General Tab) Parameter Description Name/Description Freeform label and description. Type In this context, General LDAP or Active Directory.
Table 61: Generic LDAP or Active Directory (General Tab) (Continued) Parameter Description Authorization Sources You can specify additional sources from which to fetch role mapping attributes. Select a previously configured authentication source from the drop-down list, and click Add to add it to the list of authorization sources. Click Remove to remove it from the list.
Table 62: Generic LDAP or active Directory (Primary Tab) Parameter Description Hostname Hostname or IP address of the LDAP or Active Directory server. Connection Security l l l Select None for default non-secure connection (usually port 389). Select StartTLS for secure connection that is negotiated over the standard LDAP port. This is the preferred way to connect to an LDAP directory securely. Select LDAP over SSL or AD over SSL to choose the legacy way of securely connecting to an LDAP directory.
Parameter Description Base DN Enter DN of the node in your directory tree from which to start searching for records. After you have entered values for the fields described above, click on Search Base DN to browse the directory hierarchy. The LDAP Browser opens. You can navigate to the DN that you want to use as the Base DN. Click on any node in the tree structure that is displayed to select it as a Base DN. Note that the Base DN is displayed at the top of the LDAP Browser.
Parameter Description Password Type (Available only for Generic LDAP) Specify whether the password type is Cleartext, NT Hash, or LM Hash. Password Header (Available only for Generic LDAP) Oracle's LDAP implementation prepends a header to a hashed password string. If using Oracle LDAP, enter the header in this field so the hashed password can be correctly identified and read. User Certificate Enter the name of the attribute in the user record from which user certificate can be retrieved.
Table 63: D/LDAP Attributes Tab (Filter Listing Screen) Tab Parameter/Description Filter Name / Attribute Name / Alias Name / Enable as Role Listing column descriptions: l Filter Name: Name of the filter. l Attribute Name: Name of the LDAP/AD attributes defined for this filter. l Alias Name: For each attribute name selected for the filter, you can specify an alias name. l Enabled As: Specify whether value is to be used directly as a role or attribute in an Enforcement Policy.
Table 64: AD/LDAP Default Filters Explained Directory Active Directory Default Filters l l l l l Authentication: This is the filter used for authentication. The query searches in objectClass of type user. This query finds both user and machine accounts in Active Directory: (&(objectClass=user)(sAMAccountName=%{Authentication:Username})) After a request arrives, Policy Manager populates %{Authentication:Username} with the authenticating user or machine.
Table 64: AD/LDAP Default Filters Explained (Continued) Directory Default Filters Generic LDAP Directory Authentication: This is the filter used for authentication. (&(objectClass=*)(uid=%{Authentication:Username})) When a request arrives, Policy Manager populates %{Authentication:Username} with the authenticating user or machine.
Table 65: AD/LDAP Configure Filter Popup (Browse Tab) Navigation Description Find Node / Go Go directly to a given node by entering its Distinguished Name (DN) and clicking on the Go button. Filter Tab The Filter tab provides an LDAP browser interface to define the filter search query. Through this interface you can define the attributes used in the filter query.
Table 66: Configure Filter Popup (Filter Tab) (Continued) Parameter Select the attributes for filter Description This table has a name and value column. There are two ways to enter the attribute name By going to a node of interest, inspecting the attributes, and then manually entering the attribute name by clicking on Click to add... in the table row. l By clicking on an attribute on the right hand side of the LDAP browser. The attribute name and value are automatically populated in the table.
Table 67: Filter Creation Steps (Continued) Step Description Step 3 Enter value (optional) After Step 3, you have values for a specific record (Alice’s record, in this case). Change the value to a dynamic session attribute that will help Policy Manager to associate a session with a specific record in LDAP/AD. For example, if you selected the sAMAccountName attribute in AD, click on the value field and select %{Authentication:Username}.
Table 68: AD/LDAP Configure Filter Popup (Attributes Tab) (Continued) Parameter Description Execute After you have entered the values for all dynamic parameters, click Execute to execute the filter query. You see all entries that match the filter query. Click on one of the entries (nodes) and you see the list of attributes for that node. You can now click on the attribute names that you want to use as role mapping attributes.
Figure 115: Modify Default Filters The attributes that are defined for the authentication source show up as attributes in role mapping policy rules editor under the authorization source namespace. Then, on the Role Mappings Rules Editor page, the Operator values that display are based on the Data type specified here. If, for example, you modify the Active Directory department to be an Integer rather than a String, then the list of Operator values will populate with values that are specific to Integers.
Figure 116: Generic SQL DB (General Tab) Table 69: General SQL DB (General Tab) Parameter Description Name/Description Freeform label and description. Type In this context, Generic SQL DB. Use for Authorization This check box instructs Policy Manager to fetch role mapping attributes (or authorization attributes) from this authentication source.
Primary Tab The Primary tab defines the settings for the primary server. Figure 117: General SQL DB (Primary Tab) Table 70: Generic SQL DB (Primary Tab) Parameter Description Server Name Enter the hostname or IP address of the database server. Port (Optional) Specify a port value if you want to override the default port. Database Name Enter the name of the database to retrieve records from. Login Username/Password Enter the name of the user used to log into the database.
Figure 118: Generic SQL DB (Attributes Tab) Table 71: Generic SQL DB Attributes Tab (Filter List) Tab Parameter/Description Filter Name / Attribute Name / Alias Name / Enabled As Listing column descriptions: l Filter Name: Name of the filter. l Attribute Name: Name of the SQL DB attributes defined for this filter. l Alias Name: For each attribute name selected for the filter, you can specify an alias name. NOTE: Enabled As: Indicates whether the filter is enabled as a role or attribute type.
Parameter Description Name / Alias Name / Data Type/ Enabled As Name: This is the name of the attribute. Alias Name: A friendly name for the attribute. By default, this is the same as the attribute name. Data Type: Specify the data type for this attribute, such as String, Integer, Boolean, etc. Enabled As: Specify whether this value is to be used directly as a role or attribute in an Enforcement Policy. This bypasses the step of having to assign a role in Policy Manager through a Role Mapping Policy.
Table 73: HTTP (General Tab) Parameter Description Name/Description Freeform label and description. Type In this context, HTTP. Use for Authorization This check box instructs Policy Manager to fetch role mapping attributes (or authorization attributes) from this authentication source. If a user or device successfully authenticates against this authentication source, then Policy Manager also fetches role mapping attributes from the same source (if this setting is enabled).
Table 74: HTTP (Primary Tab) Parameter Description Base URL Enter the base URL(host name) or IP address of the HTTP server. For example: http:// or :xxxx where xxxx is the port to access the HTTP Server. Login Username/Password Enter the name of the user used to log into the database. This account should have read access to all the attributes that need to be retrieved by the specified filters. Enter the password for the user account entered in the field above.
Figure 123: HTTP Filter Configure Popup Table 76: HTTP Configure Filter Popup Parameter Description Filter Name Name of the filter. Filter Query The HTTP path (without the server name) to fetch the attributes from the HTTP server. For example, if the full path name to the filter is http server URL = http://:xxxx/abc/def/xyz, you enter /abc/def/xyz. Name / Alias Name / Data Type / Enabled As Name: This is the name of the attribute. Alias Name: A friendly name for the attribute.
details. Figure 124: Kerberos General Tab Table 77: Kerberos (General tab) Parameter Description Name/Description Freeform label and description. Type In this context, Kerberos. Use for Authorization Disabled in this context. Authorization Sources You must specify one or more authorization sources from which to fetch role mapping attributes. Select a previously configured authentication source from the drop-down list, and click Add to add it to the list of authorization sources.
Figure 125: Kerberos (Primary Tab) Table 78: Kerberos (Primary Tab) Parameter Description Hostname/Port Host name or IP address of the kerberos server, and the port at which the token server listens for kerberos connections. The default port is 88. Realm The domain of authentication. In the case of Kerberos, this is the Kerberos domain. Service Principal Name The identity of the service principal as configured in the Kerberos server. Service Principal Password Password for the service principal.
General Tab Figure 126: Okta General Tab Table 79: Okta (General tab) Parameter Description Name/Description Freeform label and description. Type In this context, Okta. Use for Authorization This check box instructs Policy Manager to fetch role mapping attributes (or authorization attributes) from this authentication source.
Primary Tab Figure 127: Okta Primary Tab Table 80: Okta (Primary Tab) Parameter Description URL Enter the address of the OKTA server. Authorization Token Enter the authorization token as provided by Okta support. Attributes Tab Figure 128: Okta Attributes Tab Table 81: Okta (Attributes Tab) Tab Parameter/Description Filter Name / Attribute Name / Alias Name / Enable as Role Listing column descriptions: l Filter Name: Name of the filter. (Only Group can be configured for Okta.
Figure 129: Okta Filter Configure Popup Table 82: Okta Configure Filter Popup Parameter Description Filter Name Name of the filter. Filter Query A SQL query to fetch the attributes from the user or device record in DB. Name / Alias Name / Data Type/ Enabled As Name: This is the name of the attribute. Alias Name: A friendly name for the attribute. By default, this is the same as the attribute name. Data Type: Specify the data type for this attribute, such as String, Integer, Boolean, etc.
General Tab The General Tab labels the authentication source. Figure 130: Static Host List (General Tab) Table 83: Static Host List (General Tab) Parameter Description Name/ Description Freeform label. Type Static Host List, in this context. Use for Authorization/Authorization Sources These options are not configurable. Static Host Lists Tab The Static Hosts List tab defines the list of static hosts to be included as part of the authorization source.
Token Server Policy Manager can perform GTC authentication against any token server than can authenticate users by acting as a RADIUS server (e.g., RSA SecurID Token Server) and can authenticate users against a token server and fetch role mapping attributes from any other configured Authorization Source. Pair this Source type with an authorization source (identity store) containing user records.
Table 85: Token Server General tab Parameters (Continued) Parameter Description Use for Authorization This check box instructs Policy Manager to fetch role mapping attributes (or authorization attributes) from this authentication source. If a user or device successfully authenticates against this authentication source, then Policy Manager also fetches role mapping attributes from the same source (if this setting is enabled).
Table 86: Token Server (Primary Tab) Parameter Description Server Name/Port Host name or IP address of the token server, and the UDP port at which the token server listens for RADIUS connections. The default port is 1812. Secret RADIUS shared secret to connect to the token server. Attributes Tab The Attributes tab defines the RADIUS attributes to be fetched from the token server. These attributes can be used in role mapping policies.
| Authentication and Authorization Dell Networking W-ClearPass Policy Manager 6.
Chapter 8 Identity Roles can range in complexity from a simple user group (e.g., Finance, Engineering, or Human Resources) to a combination of a user group with some dynamic constraints (e.g., “San Jose Night Shift Worker”- - An employee in the Engineering department who logs in through the San Jose network device between 8 PM and 5 AM on weekdays). It can also apply to a list of users.
other database); by way of an example of such a class of users, guest or contractor records can be stored in the local user repository. To authenticate local users from a particular Service, include [Local User Repository] among the Authentication Sources. The Single Sign-On page allows you to enable access for Insight, Guest, and/or Policy Manager using a trusted IdP certificate. The Local Users page configures role-based access for individual users.
Figure 136: Single Sign-On - SAML SP Configuration tab Figure 137: Single Sign-On SAML IdP Configuration tab Adding and Modifying Local Users Policy Manager lists all local users in the Local Users page. To add a local user, click Add User to display the Add Local User popup. l To edit a local user, in the Local Users listing page, click on the name to display the Edit Local User popup. l To delete a local user, in the Local Users listing page, select it (via the check box) and click Delete.
Figure 138: Local Users Listing Figure 139: Add Local User page Table 87: Add Local User Page Parameters 184 | Identity Parameter Description User ID/ Name /Password/ Verify Password: Freeform labels and password. Enable User: Uncheck to disable this user account. Role: Select a static role for this local user. Dell Networking W-ClearPass Policy Manager 6.
Table 87: Add Local User Page Parameters (Continued) Parameter Description Attributes: Add custom attributes for this local user. Click on the “Click to add...” row to add custom attributes. By default, four custom attributes appear in the Attribute drop-down list: Phone, Email, Sponsor, Designation. You can enter any name in the attribute field. All attributes are of String datatype. The value field can also be populated with any string.
Figure 142: Add Endpoint Page Table 88: Add Endpoint Page Parameters Parameter Description MAC Address MAC address of the endpoint. Status Mark as Known, Unknown or Disabled client. The Known and Unknown status can be used in role mapping rules via the Authentication:MacAuth attribute. The Disabled status can be used to block access to a specific endpoint. This status is automatically set when an endpoint is blocked from the Endpoint Activity table (in the Live Monitoring section).
Figure 143: Endpoint Popup Additional Available Tasks l To delete an endpoint, in the Endpoints listing page, select it (via check box) and click the Delete button. l To export an endpoint, in the Endpoints listing page, select it (via check box) and click the Export button. l To export ALL endpoints, in the Endpoints listing page, click the Export All Endpoints link in the upper right corner of the page.
Figure 145: Add Static Host List Page Table 89: Add Static Host List Page Parameters Parameter Description Name/ Description: Freeform labels and descriptions. Host Format: Select a format for expression of the address: subnet, IP address or regular expression. Host Type: Select a host type: IP Address or MAC Address (radio buttons). List: Use the Add Host and Remove Host widgets to maintain membership in the current Static Host List.
Configuring a Role Mapping Policy After authenticating a request, a Policy Manager Service invokes its Role Mapping Policy, resulting in assignment of a role(s) to the client. This role becomes the identity component of Enforcement Policy decisions. A service can be configured without a Role Mapping Policy, but only one Role Mapping Policy can be configured for each service.
When you click Add Roles from any of these locations, Policy Manager displays the Add New Role popup. Figure 147: Add New Role Page Table 90: Add New Role Page Parameters Parameter Description Role Name /Description Freeform label and description.
Figure 149: Role Mappings (Policy Tab) Table 91: Role Mappings (Policy tab) Parameters Parameter Description Policy Name /Description Freeform label and description. Default Role Select the role to which Policy Manager will default when the role mapping policy does not produce a match. View Details / Modify / Add new Role Click on View Details to view the details of the default role. Click on Modify to modify the default role. Click on Add new Role to add a new role.
Figure 151: Rules Editor Page Table 92: Role Mappings Page (Rules Editor) Page Parameters Parameter Description Type The rules editor appears throughout the Policy Manager interface. It exposes different namespace dictionaries depending on context. (Refer to "Namespaces" on page 445.
The Operator values that display for each Type and Name are based on the data type specified for the Authentication Source (from the Configuration > Authentication > Sources page). If, for example, you modify the UserDN Data type on the Authentication Sources page to be an Integer rather than a string, then the list of Operator values here will populate with values that are specific to Integers. After you save your Role Mapping configuration, it appears in the Mapping Rules list.
| Identity Dell Networking W-ClearPass Policy Manager 6.
Chapter 9 Posture Policy Manager provides several posture methods to evaluate the health of the clients that request access. These methods all return Posture Tokens (E.g., Healthy, Quarantine for use by Policy Manager for input into Enforcement Policy. One or more posture methods can be associated with a Service.
Figure 152: Posture Evaluation Process Policy Manager uses posture evaluation to assess client consistency with enterprise endpoint health policies, specifically with respect to: l Operating system version/type l Registry keys/services present (or absent) l Antivirus/antispyware/firewall configuration l Patch level of different software components l Peer to Peer application checks l Services to be running or not running l Processes to be running or not running Each configured health check ret
Upon completion of all configured posture checks, Policy Manager evaluates all application tokens and calculates a system token, equivalent to the most restrictive rating for all returned application tokens. The system token provides the health posture component for input to the Enforcement Policy. A Service can also be configured without any Posture policy. Configuring Posture The following image displays how to configure Posture at the Service level.
Table 93: Posture Features at the Service Level (Continued) Configurable Component How to Configure Remediation URL This URL defines where to send additional remediation information to endpoints. Sequence of Posture Servers Select a Posture Server, then select Move Up, Move Down, Remove, or View Details. l To add a previously configured Posture Server, select from the Select drop-down list, then click Add.
Table 94: NAP Agent Posture Plugins for Windows Operating Systems (Continued) Operating System Versions Windows Security Health Validator The Windows Security Health Validator parameters permit or deny client computers access to your network, subject to checks of the client's system for Firewall, Virus Protection, Spyware Protection, Automatic Updates, and Security Updates*.
l An environment that does not support 802.1X based authentication, such some legacy Microsoft Windows operating systems, or legacy network devices. l An environment configured with an operating system that provides native support for 802.1X natively, but does not have a built-in health agent. The MAC OS X is an example of this type of environment.
Select the Posture Agent: OnGuard Agent (Persistent or Dissolvable) for use in the following scenarios: Table 97: OnGuard Agent (Persistent or Dissolvable) Posture Plugins for Mac OS X Plugin Name Description The configurable parameter categories for this validator are: ClearPassMac OS X Universal System Health Validator l Services l Processes l AntiVirus l AntiSpyware l Firewall l Patch Management l Peer To Peer l USB Devices l Virtual Machines l Network Connections l l Disk Encry
Figure 154: ClearPass Linux Universal system Health Validator - NAP Agent Select a Linux version and click the Enable checks check box for that version. The Services view appears automatically and provides a set of widgets for specifying specific services to be explicitly running or stopped for the different Linux versions.
Figure 155: General Configuration Section Select Firewall Check to display a view where you can specify Firewall parameters, specifically with respect to which ports may be open or blocked. Figure 156: Firewall view Select Antivirus Check, then click Add in the view that appears to specify Antivirus details. Figure 157: Antivirus Check view When you save your Antivirus configuration, it appears in the Antivirus page list. Figure 158: Antivirus Check Dell Networking W-ClearPass Policy Manager 6.
Table 99: Antivirus Check Interface Parameter Description Antivirus Main view Add To configure Antivirus application attributes for testing against health data, click Add. Trashcan icon To remove configured Antivirus application attributes from the list, click the trashcan icon in that row. Product/Version/Last Check Configure the specific settings for which to test against health data.
Figure 160: Windows Security Health Validator ClearPass Linux Universal System Health Validator - OnGuard Agent The ClearPass Linux Universal System Health Validator - OnGuard Agent page popup appears in response to actions in the Posture Plugins tab of the Posture configuration (When you select Linux and OnGuard Agent from the posture policy page).
Figure 161: ClearPass Mac OS X Universal System Health Validator - OnGuard Agent Services Use the Services page to configure which services to run and which services to stop. See "ClearPass Windows Universal System Health Validator - OnGuard Agent" on page 212 for a description of the fields on this page. Figure 162: Services Configuration Page Processes The Processes page provides a set of components for specifying specific processes to be explicitly present or absent on the system.
Figure 164: Processes Add Page Antivirus In the Antivirus page, you can specify that an Antivirus application must be on and allows drill-down to specify information about the Antivirus application. Click on An Antivirus Application is On to configure the Antivirus application information. When enabled, the Antivirus detail page appears. Figure 165: Antivirus Page (Detail 1) Click Add to specify product and version check information.
Figure 167: AntiSpyware Page Figure 168: AntiSpyware Add Page In the Antispyware page, click An Antispyware Application is On to configure the Antispyware application information. See Antivirus configuration details above for a description of the different configuration elements. When you save your Antispyware configuration, it appears in the Antispyware page list. The configuration elements are the same for anti-virus and antispyware products. Refer to the anti-virus configuration instructions above.
Figure 170: Firewall Add Page When enabled, the Firewall detail page appears. See "ClearPass Windows Universal System Health Validator OnGuard Agent" on page 212 for firewall page and field descriptions. Patch Management In the Patch Management page, you can view or add the patch management product, and configure Auto Remediation and User Notification features.
Figure 173: USB Devices Page Virtual Machine The Virtual Machines page provides configuration to Virtual Machines utilized by your network. Figure 174: Virtual Machine Page Network Connections The Network Connections page provides configuration to control network connections based on connection type. Select the Check for Network Connection Types check box, and then click Configure to specify type of connection that you want to include.
Figure 177: Disk Encryption Page Figure 178: Disk Encryption Add Page Installed Applications The Installed applications category groups classes that represent software-related objects. In the Installed Applications page, you can turn on the installed applications check and specify information about which installed applications you want to monitor. You can take the following actions: l Specify installed applications to monitor on a mandatory basis.
ClearPass Windows Universal System Health Validator - OnGuard Agent The ClearPass Windows Universal System Health Validator page is displayed after you configure the OnGuard agent and the Windows system in the Posture Plugins tab. Figure 181: ClearPass Windows Universal System Health Validator Select a version of Windows and click the check box to enable checks for that version. Enabling checks for a specific version displays the following set of configuration pages.
Figure 182: Services Page Table 100: Services Page Parameter Description Auto Remediation Enable to allow auto remediation for service checks (Automatically stop or start services based on the entries in Service to run and Services to stop configuration). User Notification Enable to allow user notifications for service check policy violations.
Table 101: Process Page (Overview - Pre-Add) Parameter Description Auto Remediation Enable to allow auto remediation for registry checks (Automatically add or remove registry keys based on the entries in Registry keys to be present and Registry keys to be absent configuration). User Notification Enable to allow user notifications for registry check policy violations.
Figure 185: Process to be Absent Page (Detail) Table 103: Process to be Absent Page (Detail) Parameter Check Type Enter the Display name Description Select the type of process check to perform. The agent can look for: Process Name - The agent looks for all processes that matches with the given name. For example, if notepad.exe is specified, the agent kills all processes whose name matches, regardless of the location from which these processes were started.
Figure 186: Process Page (Overview - Post Add) Registry Keys The Registry Keys page provides a set of parameters that are used to specify which registry keys are to be explicitly present or absent. Figure 187: Registry Keys Page (Overview) Table 104: Registry Keys Page (Overview - Pre-Add) Parameter Description Auto Remediation Enable to allow auto remediation for registry checks.
Figure 188: Registry Keys Page (Detail) Table 105: Registry Keys Page (Detail) Parameter Description Hive/Key/value (name, type, data) Identifying information for a specific setting for a specific registry key. After you save the Registry details, the information appears in the Registry page list. Figure 189: Registry Keys Page (Overview - Post Add) AntiVirus In the Antivirus page, you can turn on an Antivirus application..
Figure 192: Antivirus Page (Detail 2) After you save your Antivirus configuration, it appears in the Antivirus page list. Figure 193: Antivirus Page (Overview - After) Table 106: Antivirus Page Interface Antivirus Page Parameter l l l l An Antivirus Application is On Auto Remediation User Notification Display Update URL Description l l l l Antivirus Page (Detail 1) 218 | Posture l Add l Click Antivirus application is on to enable testing of health data for configured Antivirus application (s).
Table 106: Antivirus Page (Continued) Interface Antivirus Page (Detail 2) Parameter l l l l l l l l l Product-specific checks Select the antivirus product Product version check Engine version check Engine version check Datafile version check Data file has been updated in Last scan has been done before Real-time Protection Status Check Description Configure the specific settings for which to test against health data. All of these checks may not be available for some products.
Figure 196: AntiSpyware Page (Detail 2) Figure 197: AntiSpyware Page (Overview After) When you save your AntiSpyware configuration, it appears in the AntiSpyware page list. The configuration elements are the same for antivirus and antispyware products. Refer to the previous AntiSpyware configuration instructions. Firewall In the Firewall page, you can specify that a Firewall application must be on and specify information about the Firewall application.
Figure 201: Firewall Page (Overview After) Table 107: Firewall Page Interface Firewall Page Parameter l l l l A Firewall Application is On Auto Remediation User Notification Uncheck to allow any product l Add Trashcan icon l Firewall Page (Detail 1) l Firewall Page (Detail 2) Product/Version l Description l l l l Check the Firewall Application is On check box to enable testing of health data for configured firewall application(s).
Table 108: Peer to Peer Page Parameter Description Auto Remediation Enable to allow auto remediation for service checks (Automatically stop peer to peer applications based on the entries in Applications to stop configuration). User Notification Enable to allow user notifications for peer to peer application/network check policy violations.
Table 109: Patch Management Page Interface Patch Management Page Parameter l l A patch management application is on Auto Remediation Description l l l l l l User Notification Uncheck to allow any product Patch Management Page (Detail 1) l Patch Management Page (Detail 2) Product/Version l Add Trashcan icon l l Check the A patch management application is on to enable testing of health data for configured Antivirus application(s).
Windows Hotfixes The Windows Hotfixes page provides a set of widgets for checking if specific Windows hotfixes are installed on the endpoint. Figure 207: Windows Hotfixes Page Table 110: Windows Hotfixes Parameter Description Auto Remediation Enable to allow auto remediation for hotfixes checks (Automatically trigger updates of the specified hotfixes). User Notification Enable to allow user notifications for hotfixes check policy violations. Monitor Mode Click to enable Monitor Mode.
Table 111: USB Devices (Continued) Parameter Description User Notification Enable to allow user notifications for USB devices policy violations. Remediation Action for USB Mass Storage Devices l l l No Action - Take no action; do not eject or disable the attached devices. Remove USB Mass Storage Devices - Eject the attached devices. Remove USB Mass Storage Devices - Stop the attached devices.
Figure 210: Network Connections Select the Check for Network Connection Types check box, and then click Configure to specify the type of connection that you want to include.
Table 114: Network Connections Configuration Parameter Description Auto Remediation Enable to allow auto remediation for network connections. User Notification Enable to allow user notifications network connection policy violations. Remediation Action for Bridge Network Connection If Allow Bridge Network Connection is disabled, then specify whether to take no action when a bridge network connection exists or to disable all bridge network connections.
Table 115: Disk Encryption Parameters (Continued) Parameter Description Product Version is at least Search for the production version of the selected product. Locations to Check Select location to check. The options are None, System Root Drive, All Drives, or Specific Locations. Installed Applications The Installed applications category groups classes that represent software-related objects. Access to these objects is supported by Windows Installer.
Table 116: Installed Applications Configuration Page (Continued) Parameter Description User Notification A Remediation message having a list of applications to install/uninstall will be displayed to end user. Monitor Mode In the Network Monitor (NetMon) operation mode, the 802.11 station operates as a wireless LAN (WLAN) device that is used to monitor packets that are sent over the WLAN media by other devices.
Figure 214: Windows System Health Validator - OnGuard Agent (Overview) Adding and Modifying Posture Servers Policy Manager can forward all or part of the posture data received from the client to Posture Servers. The Posture Server evaluates the posture data and returns Application Posture Tokens.
Microsoft NPS Use the Microsoft NPS server when you want Policy Manager to have health - NAP Statement of Health (SoH) credentials - evaluated by the Microsoft NPS Server. Table 117: Microsoft NPSSettings (Posture Server tab) Parameter Description Name/Description: Freeform label and description. Server Type: Always Microsoft NPS. Default Posture Token: Posture token assigned if the server is unreachable or if there is a posture check failure. Select a status from the drop-down list.
| Posture Dell Networking W-ClearPass Policy Manager 6.
Chapter 10 Audit Servers Audit Servers evaluate posture, role, or both, for unmanaged or unmanageable clients. One example could be clients that lack an adequate posture agent or 802.1X supplicant. For example, printers, PDAs, or guest users might not be able to send posture credentials or identify themselves. A Policy Manager Service can trigger an audit by sending a client ID to a pre-configured audit server, and the server returns attributes for role mapping and posture evaluation.
l "Built-In Audit Servers" on page 234 l "Custom Audit Servers" on page 236 l "Post-Audit Rules" on page 242 Built-In Audit Servers When configuring an audit as part of an Policy Manager Service, you can select the default Nessus ([Nessus Server]) or NMAP ([Nmap Audit]) configuration. Add Auditing to a Policy Manager Service 1.
Table 119: Audit tab Parameter Audit Server/Add new Audit Server Description Select a built-in server profile from the list: The [Nessus Server] performs vulnerability scanning. It returns a Healthy/Quarantine result. l The [Nmap Audit] performs network port scans. The health evaluation always returns Healthy. The port scan gathers attributes that allow determination of Role(s) through post-audit rules.
Figure 220: Audit Servers Listing 2. Modify the profile, plugins, and/or preferences. l In the Audit tab, you can modify the In Progress Posture Status and Default Posture Status. l If you selected a NESSUS Server, then the Primary/Backup Server tabs allow you to specify a scan profile. In addition, when you add a new scan profile, you can select plugins and preferences for the profile. Refer to "Nessus Scan Profiles" on page 238 for more information.
Figure 222: Nessus Audit Server (Audit Tab) Table 120: Nessus Audit Server (Audit tab) Parameter Description Name/Description Freeform label and description. Type For purposes of an NESSUS-type Audit Server, always NESSUS. In Progress Posture Status Posture status during audit. Select a status from the drop-down list. Default Posture Status Posture status if evaluation does not return a condition/action match. Select a status from the drop-down list.
Table 121: Nessus Audit Server - Primary and Backup Server tabs Parameter Description Server Name and Port/ Username/ Password Standard NESSUS server configuration fields. NOTE: For the backup server to be invoked on primary server failover, check the Enable to use backup when primary does not respond check box. Scan Profile You can accept the default Scan Profile or select Add/Edit Scan Profile to create other profiles and add them to the Scan Profile list. Refer to "Nessus Scan Profiles" on page 238.
Figure 225: Nessus Scan Profile Configuration (Profile Tab) l The Selected Plugins tab displays all selected plugins, plus any dependencies. To display a synopsis of any listed plugin, click on its row. Figure 226: Nessus Scan Profile Configuration (Profile Tab) - Plugin Synopsis Of special interest is the section of the synopsis entitled Risks. To delete any listed plugin, click on its corresponding trashcan icon.
Figure 227: Nessus Scan Profile Configuration (Selected Plugins Tab) Figure 228: Nessus Scan Profile Configuration (Selected Plugins Tab) - Vulnerability Level For each selected plugin, the Preferences tab contains a list of fields that require entries. In many cases, these fields will be pre-populated. In other cases, you must provide information required for the operation of the plugin.
Figure 230: Audit Tab (NMAP) Table 122: Audit Tab (NMAP) Parameter Description Name/Description Freeform label and description. Type For purposes of an NMAP-type Audit Server, always NMAP. In Progress Posture Status Posture status during audit. Select a status from the drop-down list. Default Posture Status Posture status if evaluation does not return a condition/action match. Select a status from the drop-down list. The NMAP Options tab specifies scan configuration.
Table 123: Options Tab (NMAP) Parameter Description TCP Scan To specify a TCP scan, select from the TCP Scan drop-down list. Refer to NMAP documentation for more information on these options. NMAP option --scanflags. UDP Scan To enable, check the UDP Scan check box. NMAP option -sU. Service Scan To enable, check the Service Scan check box. NMAP option -sV. Detect Host Operating System To enable, check the Detect Host Operating System check box. NMAP option A.
Figure 233: All Audit Server Configurations (Rules Editor) Table 125: All Audit Server Configurations (Rules Editor) Parameter Description Conditions The Conditions list includes five dictionaries: Audit-Status, Device-Type, Output-Msgs, Mac-Vendor, Network-Apps, Open-Ports, and OS-Info. Refer to "Rules Editing and Namespaces" on page 445. Actions The Actions list includes the names of the roles configured in Policy Manager. Save To commit a Condition/Action pairing, click Save.
| Audit Servers Dell Networking W-ClearPass Policy Manager 6.
Chapter 11 Enforcement Policy Manager controls network access by sending a set of access-control attributes to the request-originating Network Access Device (NAD). Policy Manager sends these attributes by evaluating an Enforcement Policy associated with the service. The evaluation of Enforcement Policy results in one or more Enforcement Profiles; each Enforcement Profile wraps the access control attributes sent to the Network Access Device.
Figure 234: Flow of Control of Policy Manager Enforcement Configuring Enforcement Profiles You configure Policy Manager Enforcement Profiles globally, but they must be referenced in an enforcement policy that is associated with a Service.
l "RADIUS Change of Authorization (CoA)" on page 269 l "Session Restrictions Enforcement" on page 271 l "SNMP Based Enforcement" on page 272 l "TACACS+ Based Enforcement" on page 274 l "VLAN Enforcement" on page 276 Figure 235: Enforcement Profiles Page Policy Manager comes pre-packaged with the default profiles described in : Table 126: Default Enforcement Profiles Profile Available for the following Enforcement Types [Aerohive - Terminate Session] RADIUS_CoA [AirGroup Personal Device] RADI
Table 126: Default Enforcement Profiles (Continued) Profile Available for the following Enforcement Types [Drop Access Profile] RADIUS [Handle AirGroup Time Sharing] HTTP [HP - Terminate Session] RADIUS_CoA [Juniper Terminate Session] RADIUS_CoA [Motorola - Terminate Session] RADIUS_CoA [Operator Login - Admin Users] Application [Operator Login - Local Users] Application [TACACS API Admin] TACACS [TACACS Deny Profile] TACACS [TACACS Help Desk] TACACS [TACACS Network Admin] TACACS [TA
Table 127: Add Agent Enforcement Profile tab Parameters (Continued) Parameter Description Name Enter the name of the profile. The name is displayed in the Name column on the Configuration > Enforcement > Profiles page. Description Enter a description of the profile. The Description is displayed in the Description column on the Configuration > Enforcement > Profiles page. Type Agent. The value field is populated automatically. Action Disabled. Enabled only when RADIUS type is selected.
Aruba Downloadable Role Enforcement Use this page to configure profile and role configuration attributes for the Aruba Downloadable Role Enforcement Profile. Profile tab Figure 238: Aruba Downloadable Role Enforcement Profile tab Table 129: Aruba Downloadable Role Enforcement Profile tab Parameters Parameter Description Template: Aruba Downloadable Role Enforcement Name: Enter the name of the profile. The name is displayed in the Name column on the Configuration > Enforcement > Profiles page.
Figure 239: Aruba Downloadable Role Enforcement Role Configuration tab Table 130: Role Configuration Attributes page Role Configuration Parameter Reauthentication Interval Time (0-4096) Enter the number of minutes between reauthentication intervals. VLAN To Be Assigned (14904) Enter a number between 1 and 4094 that defines when the VLAN is to be assigned. Click to modify profiles and parameters on the page.
Figure 240: Add Captive Portal Profile Attributes Page Policer Profile: Click the Add Policer Profile link. Enter a name for the profile. Configure the required attributes and click Save or Cancel. Figure 241: Add Policer Profile Attributes Page QOs Profile Click the Add QoS Profile link. Enter a name for the profile. Configure the required attributes and click Save or Cancel. 252 | Enforcement Dell Networking W-ClearPass Policy Manager 6.
Figure 242: Add QosProfle Attributes Page VoIP Profile Click the Add VoIP Profile link. Enter a name for the profile. Configure the required attributes and click Save or Cancel. Figure 243: Add VoIP Profile Attributes page NetService Configuration Click the Manage NetServices link. Configure the required attributes and click Save, Delete or Cancel. Dell Networking W-ClearPass Policy Manager 6.
Figure 244: Manage NetServices Attributes Page NetDestination Configuration Click the Manage NetDestinations link. Configure the required attributes. Click Reset or Save Rule. Then click Save, Delete, Reset, or Cancel. Figure 245: Manage NetDestinations Attributes page Time Range Configuration Click the Manage Time Ranges link. Configure the required attributes and click Save, Delete or Cancel.
ACL Click the Add Stateless Access Control List link. Enter a name for the Stateless ACL. Click the Add Rule link on the General tab. Enter the required attributes in the Rule Configuration tab and click Save Rule or Cancel. Figure 247: Stateless Access Control List Configuration Attributes Page Click the Add Session Access Control List link. Enter a name for the Session ACL. Click the Add Rule link on the General tab.
Figure 249: Ethernet/MAC Access Control List Attributes Page Aruba RADIUS Enforcement Use this page to configure profile and attribute parameters for the Aruba RADIUS Enforcement Profile. Profile tab Figure 250: Aruba RADIUS Enforcement Profile tab Table 131: Aruba RADIUS Enforcement Profile tab Parameters Parameter Description Template Aruba RADIUS Enforcement Name Enter the name of the profile. The name is displayed in the Name column on the Configuration > Enforcement > Profiles page.
Table 131: Aruba RADIUS Enforcement Profile tab Parameters (Continued) Parameter Description Device Group List: Select a Device Group from the drop-down list. The list displays all configured Device Groups. All configured device groups are listed in the Device Groups page: Configuration > Network > Device Groups. After you add one or more device group(s), you can select a group and take one of the following actions: l Click Remove to delete the selected Device Group List entry.
Profile tab Figure 252: Cisco Downloadable ACL Enforcement Profile tab Table 133: Cisco Downloadable ACL Enforcement Profile tab Parameters Parameter Description Template: Cisco Downloadable ACL Enforcement Name: Enter the name of the profile. The name is displayed in the Name column on the Configuration > Enforcement > Profiles page. Description: Enter a description of the profile. The Description is displayed in the Description column on the Configuration > Enforcement > Profiles page.
Table 134: Cisco Downloadable ACL Enforcement Attributes tab Parameters Parameter Description Type: Select one of the following attribute types: l l l l l Radius:Aruba Radius:IETF Radius:Cisco Radius:Microsoft Radius:Avenda For more information, see "RADIUS Namespaces" on page 454 Name: The options displayed for the Name Attribute depend on the Type Attribute that was selected. Value: The options displayed for the Value Attribute depend on the Type Attribute and Name Attribute that were selected.
Table 135: Cisco Web Authentication Enforcement Parameters (Continued) Parameter Description Device Group List: Select a Device Group from the drop-down list. The list displays all configured Device Groups. All configured device groups are listed in the Device Groups page: Configuration > Network > Device Groups. After you add one or more device group(s), you can select a group and take one of the following actions: l Click Remove to delete the selected Device Group List entry.
Profile tab Figure 256: ClearPass Entity Update Enforcement Profile tab Table 137: ClearPass Entity Update Enforcement Profile tab Parameters Parameter Description Template: ClearPass Entity Update Enforcement Name: Enter the name of the profile. The name is displayed in the Name column on the Configuration > Enforcement > Profiles page. Description: Enter a description of the profile. The Description is displayed in the Description column on the Configuration > Enforcement > Profiles page.
Table 138: ClearPass Entity Update Enforcement Attributes tab Parameters Attribute Type: Description l l l l Endpoint Expire-Time-Update GuestUser Status-Update Name: The options displayed for the Name Attribute depend on the Type Attribute that was selected. Value: The options displayed for the Value Attribute depend on the Type Attribute and Name Attribute that were selected. CLI Based Enforcement Use this page to configure profile and attribute parameters for the CLI Based Enforcement Profile.
Table 139: CLI Based Enforcement Profile tab Parameters (Continued) Parameter Description Device Group List: Select a Device Group from the drop-down list. The list displays all configured Device Groups. All configured device groups are listed on the Device Groups page: Configuration > Network > Device Groups. After you add one or more device group(s), you can select a group and take one of the following actions: l Click Remove to delete the selected Device Group List entry.
Table 141: Filter ID Based Enforcement Profile tab Parameters Parameter Description Template: Filter ID Based Enforcement Name: Enter the name of the profile. The name is displayed in the Name column on the Configuration > Enforcement > Profiles page. Description: Enter a description of the profile. The Description is displayed in the Description column on the Configuration > Enforcement > Profiles page. Type: RADIUS. The field is populated automatically. Action: Enabled.
Table 142: Filter ID Based Enforcement Profile Attributes tab Parameters (Continued) Parameter Description Name: The options displayed for the Name Attribute depend on the attribute that was selected. Value: The options displayed for the Value Attribute depend on the Type Attribute and Name Attribute that were selected. Generic Application Enforcement Use this page to configure profile and attribute parameters for the Generic Application Enforcement Profile.
Table 143: Generic Application Enforcement Profile tab Parameters (Continued) Parameter Description Add new Device Group To add a new device group, click the Add new Device Group link and see Adding and Modifying Device Groups on page 285. Attributes tab Figure 263: Generic Application Enforcement Attributes tab Table 144: Generic Application Enforcement Attributes tab Parameters Parameter Description Attribute Name Select an attribute name from the list. The list has multiple pages.
Table 145: HTTP Based Enforcement Profile tab Parameters (Continued) Parameter Description Device Group List: Select a Device Group from the drop-down list. The list displays all configured Device Groups. All configured device groups are listed in the Device Groups page: Configuration > Network > Device Groups. After you add one or more device group(s), you can select a group and take one of the following actions: l Click Remove to delete the selected Device Group List entry.
Table 147: RADIUS Based Enforcement Profile tab Parameters Parameter Description Template RADIUS Based Enforcement Name Enter the name of the profile. The name is displayed in the Name column on the Configuration > Enforcement > Profiles page. Description Enter a description of the profile. The Description is displayed in the Description column on the Configuration > Enforcement > Profiles page. Type RADIUS. The field is populated automatically. Action Enabled.
Parameter Description Name: The options displayed for the Name Attribute depend on the Type Attribute that was selected. Value: The options displayed for the Value Attribute depend on the Type Attribute and Name Attribute that were selected. RADIUS Change of Authorization (CoA) Use this page to configure profile and attribute parameters for the RADIUS Change of Authorization (CoA) Enforcement Profile.
Table 149: Radius Change of Authorization (CoA) Profile tab Parameters (Continued) Parameter Description Value: The options displayed for the Value Attribute depend on the RADIUS CoA Template selected and the Type Attribute that were selected. Type: RADIUS_CoA. The field is populated automatically. Action: Disabled. Device Group List: Select a Device Group from the drop-down list. The list displays all configured Device Groups.
Table 150: Radius Change of Authorization (CoA) Attributes tab Parameters (Continued) Parameter Description Type: Select one of the following attribute types: l l l l l Radius:Aruba Radius:IETF Radius:Cisco Radius:Microsoft Radius:Avenda For more information, see "RADIUS Namespaces" on page 454 Name: The options displayed for the Name Attribute depend on the Template and Type Attribute that were selected.
Table 151: Session Restrictions Enforcement Profile tab Parameters (Continued) Parameter Description Device Group List: Select a Device Group from the drop-down list. The list displays all configured Device Groups. All configured device groups are listed in the Device Groups page: Configuration > Network > Device Groups. After you add one or more device group(s), you can select a group and take one of the following actions: l Click Remove to delete the selected Device Group List entry.
Profile tab Figure 272: SNMP Based Enforcement Profile tab Table 153: SNMP Based Enforcement Profile tab Parameters Parameter Description Template: SNMP Based Enforcement Name: Enter the name of the profile. The name is displayed in the Name column on the Configuration > Enforcement > Profiles page. Description: Enter a description of the profile. The Description is displayed in the Description column on the Configuration > Enforcement > Profiles page. Type: SNMP.
Table 154: SNMP Based Enforcement Attributes tab Parameters Parameter Attribute Name: Description Select from: VLAN ID l Session Timeout (in seconds) l Reset Connection (after the settings are applied) l Attribute Value: The options displayed for the Attribute Value depend on Attribute Name that was selected. TACACS+ Based Enforcement Use this page to configure profile, service, and attribute parameters for the TACACS+ Based Enforcement Profile.
Table 155: TACACS+ Based Enforcement Profile tab Parameters (Continued) Parameter Description Device Group List: Select a Device Group from the drop-down list. The list displays all configured Device Groups. All configured device groups are listed in the Device Groups page: Configuration > Network > Device Groups. After you add one or more device group(s), you can select a group and take one of the following actions: l Click Remove to delete the selected Device Group List entry.
VLAN Enforcement Use this page to configure profile and attribute parameters for the VLAN Enforcement Profile. Profile ta Figure 276: VLAN Enforcement Profile tab Table 157: VLAN Enforcement Profile tab Parameters Parameter Description Template: VLAN Enforcement Name: Enter the name of the profile. The name is displayed in the Name column on the Configuration > Enforcement > Profiles page. Description: Enter a description of the profile.
Table 158: VLAN Enforcement Attributes tab Parameters Parameter Description Type: Select one of the following attribute types: l l l l l Radius:Aruba Radius:IETF Radius:Cisco Radius:Microsoft Radius:Avenda For more information, see "RADIUS Namespaces" on page 454 Name: The options displayed for the Name Attribute depend on the Type Attribute that was selected. Value: The options displayed for the Value Attribute depend on the Type Attribute and Name Attribute that were selected.
Figure 279: Add Enforcement Policy (Enforcement tab) Table 159: Add Enforcement Policy (Enforcement tab) Parameter Description Name/Description Freeform label and description. Type Select: RADIUS, TACACS+, WebAuth (SNMP/CLI)/CoA or Application. Based on this selection, the Default Profile list shows the right type of enforcement profiles in the drop-down list (See Below).
Table 160: Add Enforcement Policy (Rules tab) Field Description Add/Edit Rule Bring up the rules editor to add/edit a rule. Move Up/Down Reorder the rules in the enforcement policy. Remove Rule Remove a rule. Table 161: Add Enforcement Policy (Rules Editor) Field Description Conditions/Enforcement Profiles Select conditions for this rule. For each condition, select a matching action (Enforcement Profile).
| Enforcement Dell Networking W-ClearPass Policy Manager 6.
Chapter 12 Network Access Devices A Policy Manager Device represents a Network Access Device (NAD) that sends network access requests to Policy Manager using the supported RADIUS, TACACS+, or SNMP protocol.
Figure 282: Device tab Table 162: Device tab Parameters Parameter Description Name/ Description Specify identity of the device. IP Address or Subnet Specify the IP address or the subnet (E.g., 192.168.5.0/24) of the device. RADIUS/TACACS+ Shared Secret Enter and confirm a Shared Secret for each of the two supported request protocols. Vendor Optionally, specify the dictionary to be loaded for this device.
Figure 283: SNMP Read/Write Settings tabs Figure 284: SNMP Read/Write Settings tabs - SNMP v3 Details Table 163: SNMP Read/Write Settings tabs Parameter Description Allow SNMP Read/Write Toggle to enable/disable SNMP Read/Write. Default VLAN (SNMP Write only) VLAN port setting after SNMP-enforced session expires. SNMP Read/Write Setting SNMP settings for the device.
Table 163: SNMP Read/Write Settings tabs (Continued) Parameter Description Username (SNMP v3 only) Admin user name to use for SNMP read/write operations Authentication Key (SNMP v3 only) SNMP v3 with authentication option (SHA & MD5) Privacy Key (SNMP v3 only) SNMP v3 with privacy option Privacy Protocol (SNMP v3 w/ privacy only) Add/Cancel Choose one of the available privacy protocols: DES-CBC l AES-128 l Click Add to commit or Cancel to dismiss the popup.
Table 164: CLI Settings tab (Continued) Parameter Description Access Type Select SSH or Telnet. Policy Manager uses this access method to log into the device CLI. Port SSH or Telnet TCP port number. Username/Password Credentials to log into the CLI. Username Prompt Regex Regular expression for the username prompt. Policy Manager looks for this pattern to recognize the telnet username prompt. Password Prompt Regex Regular expression for the password prompt.
Policy Manager lists all configured device groups in the Device Groups page: Configuration > Network > Device Groups. Figure 286: Device Groups Page To add a Device Group, click Add Device Group. Complete the fields in the Add New Device Group popup: Figure 287: Add New Device Group Popup 286 | Network Access Devices Dell Networking W-ClearPass Policy Manager 6.
Table 165: Add New Device Group popup Parameter Description Name/ Description/ Format Specify identity of the device. Subnet Enter a subnet consisting of network address and the network suffix (CIDR notation); for example, 192.168.5.0/24 Regular Expression Specify a regular expression that represents all IPv4 addresses matching that expression; for example, ^192(.[0-9]*){3}$ List: Available/Selected Devices Use the widgets to move device identifiers between Available and Selected.
Figure 288: Proxy Targets Page Add a Proxy Target To add a Proxy Target, click Add Proxy Target, and complete the fields in the Add Proxy Target popup. You can also add a new proxy target from the Services page (Configuration > Service (as part of the flow of the Add Service wizard for a RADIUS Proxy Service Type). Figure 289: Add Proxy Target Popup Table 166: Add Proxy Target popup Parameter Description Name/Description Freeform label and description.
Export one Proxy Target Click a checkbox to select the proxy target and then click Export. In the Save As popup, specify a file path, and then click Export. Delete one Proxy Target Click a checkbox to select the Proxy Target and then click Delete. Commit the deletion by selecting Yes. Dismiss the popup by selecting No. Custom Admin Privileges Dell Networking W-ClearPass Policy Manager ships with six read-only default administrator privilege XML files.
| Network Access Devices Dell Networking W-ClearPass Policy Manager 6.
Chapter 13 Policy Simulation After the policies are final, you can use the Configuration > Policy Simulation utility to evaluate the policies before deployment. The Policy Simulation utility applies a set of request parameters as input against a given policy component and displays the outcome in the Results tab.
Active Directory Authentication This simulation tests authentication against an Active Directory domain or trusted domain to verify that the CPPM domain membership is valid. The Attributes tab is not available for this simulation type. Simulation tab Figure 292: Active Directory Authentication Simulation tab Table 169: Active Directory Authentication Simulation tab Parameters Parameter Description Active Directory Domain: Select the domain(s) to which the node is joined.
Simulation tab Figure 294: Application Authentication Simulation tab Table 171: Application Authentication Simulation tab Parameters Parameter Description CPPM IP Address/FQDN: Enter the IP Address or FQDN of the domain(s) to which the node is joined. Username: Enter the username. Password: Enter the password. Attributes tab Enter the attributes of the policy component to be tested.
Figure 296: Application Authentication Results tab Table 173: Application Authentication Results tab Parameters Parameter Description Summary - Displays the results of the Active Directory Authentication simulation. Application Authentication Output Attributes- Displays the output attributes, such as Super Administrator. Audit This simulation allows you to specify an audit against a Nessus Server or Nmap Server, given its IP address. The Attributes tab is not available for this simulation type.
Results tab Figure 298: Audit Simulation Results tab Table 175: Audit Results tab Parameters Parameter Description Summary - Displays information about the Audit Status, Temporary Status, and Audit Timeout. Audit Output Attributes - Displays the Audit-Status, such as AUDIT_INPROGRESS.
Table 176: Chained Simulation tab Parameters Parameters Service: Description Select from: [Policy Manager Admin Network Login Service] l [AirGroup Authorization Service] l [Aruba Device Access Service] l [Guest Operator Logins] l Guest Access l Guest Access With MAC Caching l Authentication Source: Default Value = [Local User Repository] if you select: [Policy Manager Admin Network Login Service] l [Aruba Device Access Service] l Default Value = [Guest Device Repository] if you select: [AirGroup Authori
Attribute Parameter Application See "Application Namespace" on page 446 Certificate See "Certificate Namespaces" on page 450 l l l l l l l l l l l Radius:IETF Radius:Cisco Radius:Microsoft Radius:Avenda Radius:Aruba Trend:AV Cisco: HIPS Cisco:HOST Cisco:PA NAI:AV Symantec:AV See "RADIUS Namespaces" on page 454 Name: The options displayed for the Name Attribute depend on the Type Attribute that was selected.
Table 178: Chained Simulation Results tab Parameters Parameter Summary - Description Provides the following information about the Chained Simulation: Status l Roles l System Posture Status l Enforcement Profiles l Enforcement Policy Given the service name (and the associated enforcement policy), a role or a set of roles, the system posture status, and an optional date and time, the enforcement policy simulation evaluates the rules in the enforcement policy and displays the resulting enforcement profiles a
Table 179: Enforcement Policy Simulation tab Parameters (Continued) Parameter Description Enforcement Policy: Autofilled with [Admin Network Login Policy] if you select [Policy Manager Admin Network Login Service] Autofilled with [AirGroup Enforcement Policy] if you select [AirGroup Authorization Service] Autofilled with [Aruba Device Access Policy] if you select [Aruba Device Access Service] Autofilled with [Guest Operator Logins] if you select [Guest Operator Logins] service Autofilled with Copy_of_Gue
Table 179: Enforcement Policy Simulation tab Parameters (Continued) Parameter Description Dynamic Roles: Add Role: Enter the name of a dynamic role in the Add Role field and click the Add Role button to populate the Dynamic Roles list. Remove role: Highlight a dynamic role and click Remove Role button.
Results tab Figure 304: Policy Simulation Results tab Table 181: Enforcement Policy Results tab Parameters Parameter Description Deny Access- Displays the output of the Deny Access test. Enforcement Profile Displays the name of the Enforcement Profile. RADIUS Authentication Dictionaries in the RADIUS namespace come pre-packaged with the product. The administration interface does provide a way to add dictionaries into the system (see "RADIUS Dictionary" on page 398 for more information).
Table 182: RADIUS Simulation tab Parameters Parameter Description Server: Select Local or Remote. CPPM IP Address or FQDN NOTE: This field is only displayed if Remote Server is selected. Enter the IP Address or FQDN of the remote CPPM server. Port: NOTE: This field is only displayed if Remote Server is selected. Enter the port number of the remote CPPM server. The default port number is 1812. Shared Secret: NOTE: Only displayed if Remote Server is selected.
Table 182: RADIUS Simulation tab Parameters (Continued) Parameter Authentication outer method: Description l l l l l l PAP - Authentication inner method: field is disabled. CHAP - Authentication inner method field: is disabled. MSCHAPv2 - Authentication inner method field: is disabled. PEAP - Authentication inner method field: is enabled. The selections are: n EAP-MSCHAPv2 n EAP-GTC n EAP-TLS* TTLS -Authentication inner method field: is enabled.
The attributes that you set depend on the NAS Type selected on the Simulation page. NAS Type: Aruba Wireless Controller Figure 307: Aruba Wireless Controller Type Attributes tab Table 183: Aruba Wireless Controller Required Attribute Settings Attribute Parameter Line 1: Type = Radius:IETF l Name = NAS-Port-Type l Value = Wireless-802.
NAS Type: Cisco Wireless Switch Figure 309: NAS Type: Cisco Wireless Switch Attributes tab Table 185: [NAS Type: Cisco Wireless Switch Required Attribute Settings Attribute Line 1: Type = Radius:IETF l Name = NAS-Port-Type l Value = 802.11(19) l Line 2: Type = Radius:IETF l Name = Service-Type l Value = Framed-User(2) l Results tab Figure 310: Results tab Table 186: RADIUS Authentication Results tab Parameters Parameter Description Summary - Displays a summary of the simulation.
Table 186: RADIUS Authentication Results tab Parameters (Continued) Parameter Description Details Click this link to open a popup that provides details about the Authentication test. You can take the following actions: l l Status Message(s) Click the Summary, Input and Output tabs Click the Change Status, Show Logs, Export or Close buttons. Displays the status messages resulting from the test.
Table 187: Role Mapping Simulation tab Parameters (Continued) Parameter Role Mapping Policy: Description Field is disabled if you select: [Policy Manager Admin Network Login Service] l [Aruba Device Access Service] l [Guest Operator Logins] Field is auto-filled with [AirGroup Version Match] if you select [AirGroup Authorization Service] Field is autofilled with [Guest Roles] if you select Guest Access Field is autofilled with Guest MAC Authentication Role Mapping if you select Guest Access With MAC Caching
Table 188: Role Mapping Simulation Attributes tab Parameters Attribute Parameter Type: Host See "Host Namespaces" on page 453 Authentication See "Authentication Namespaces" on page 447 Connection See "Connection Namespaces" on page 451 Application See "Application Namespace" on page 446 Certificate See "Certificate Namespaces" on page 450 l l l l l See "RADIUS Namespaces" on page 454 Radius:IETF Radius:Cisco Radius:Microsoft Radius:Avenda Radius:Aruba Name: The options displayed for the Name
Service Categorization A service categorization simulation allows you to specify a set of attributes in the RADIUS or Connection namespace and test which configured service the request will be categorized into. The request attributes that you specify represent the attributes sent in the simulated request.
Table 191: Service Categorization Simulation Attributes tab Parameters (Continued) Attribute Parameter Name: The options displayed for the Name Attribute depend on the Type Attribute that was selected. Value: The options displayed for the Value Attribute depend on the Type Attribute and Name Attribute that were selected. Results tab Figure 316: Results tab Table 192: Service Configuration Results tab Parameters Parameter Description Summary - Gives the name of the service.
Chapter 14 ClearPass Policy Manager Profile Profile is a Dell Networking W-ClearPass Policy Manager module that automatically classifies endpoints using attributes obtained from software components called Collectors. You can use Profile to implement “Bring Your Own Device” (BYOD) flows, where access must be controlled, based on the type of the device and the identity of the user.
l "MAC OUI" on page 312* l "ActiveSync Plugin" on page 313 l "CPPM OnGuard" on page 313 l "SNMP" on page 313 l "Subnet Scan" on page 314 * Acquired via various authentication mechanisms such as 802.1X, MAC authentication, etc. DHCP DHCP attributes such as option55 (parameter request list), option60 (vendor class) and options list from DISCOVER and REQUEST packets can uniquely fingerprint most devices that use the DHCP mechanism to acquire an IP address on the network.
ActiveSync Plugin The ActiveSync plugin is to be installed on Microsoft Exchange servers. When a device communicates with exchange server using active sync protocol, it provides attributes like device-type and user-agent. These attributes are collected by the plugin software and are sent to the CPPM profiler. Profiler uses dictionaries to derive profiles from these attributes. CPPM OnGuard The ClearPass OnGuard agent performs advanced endpoint posture assessment.
Figure 317: SNMP Read/Write Settings Tabs In large or geographically spread cluster deployments, you do not want all CPPM nodes to probe all SNMP configured devices. The default behavior is for a CPPM node in the cluster to read network device information only for devices configured to send traps to that CPPM node. Subnet Scan A network subnet scan is used to discover IP addresses of devices in the network.
l SNMP l DHCP l MAC OUI Stage 2 CPPM comes with a built-in set of rules that evaluates to a device-profile. Rules engine uses all input attributes and device profiles from Stage 1. The resulting rule evaluation may or may not result in a profile. Stage 2 is intended to refine the results of profiling. Example With DHCP options, Stage 1 can identify an Android device. Stage 2 uses rules to combine this with MAC OUI to further classify an Android device as Samsung Android, HTC Android, etc.
Table 193: Profiler tab Parameters Parameter Description Endpoint Classification: Select the classification after which an action must be triggered. You can select a new action, or remove a current action. RADIUS CoA Action: Select an action. Click View Details to view details about the selected action. Click Modifyto change the values of the selected action. Add new RADIUS CoA Action: Click to add a RADIUS CoA action to the list.
Chapter 15 Administration All administrative activities including server configuration, log management, certificate and dictionary maintenance, portal definitions, and administrator user account maintenance are done from the Administration menus. The Policy Manager Administration menu provides the following interfaces for configuration: Dell Networking W-ClearPass Policy Manager 6.
ClearPass Portal Navigate to the Administration > Agents and Software Updates > ClearPass Portal page.
Admin Users The Policy Manager Admin Users menu Administration > Users and Privileges > Admin Users provides the following interfaces for configuration: l "Add User" on page 319 l "Import Users" on page 320 l "Export Users" on page 320 l "Export" on page 321 Figure 321: Admin Users Table 195: Admin Users Container Description Add User Opens the Add User popup form. Import Users Opens the Import Users popup form. Export Users Exports all users to an XML file.
Table 196: Add Admin User Container Description User ID Name Specify the identity and password for a new admin user. Password Verify Password Privilege Level Select Privilege Level: Help Desk l Super Administrator l Network Administrator l Receptionist or any other custom privilege level Add/Cancel Add or dismiss changes. Import Users Select the Import Users link in the upper right portion of the page.
Export Select the Export button on the lower right portion of the page. To export a user, select it (check box at left) and click Export. Your browser will display its normal Save As dialog, in which to enter the name of the XML file to contain the export. Admin Privileges To view the available Admin Privileges, go to Administration > Users and Privileges > Admin Privileges.
Administrator Privileges and IDs The following list provides the areas and sub-areas of the Policy Manager application and the associated taskid of each one. If you provide permission for an area, the same permission for all sub-areas is included by default. For example, if you give RW permissions for Enforcements (con.en), you grant permissions for its sub-areas, in this case, Policies (con.en.epo) and Profiles (con.en.epr), and you do not have to explicitly define the same permission for those sub-areas.
l n Device Groups: taskId="con.nw.ng" n Proxy Targets: taskId="con.nw.pr" n Policy Simulation: taskId="con.ps" n Profile Settings: taskId="con.prs" Administration: taskId="adm" n n n n n n User and Privileges: taskId="adm.us" n Admin Users: taskId="adm.us.au" n Admin Privileges: taskId="adm.us.ap" Server Manager: taskId="adm.mg" n Server Configuration: taskId="adm.mg.sc" n Log Configuration: taskId="adm.mg.ls" n Local Shared Folders: taskId="adm.mg.sf" n Licensing: taskId="adm.mg.
3. Go to Administration > Users and Privileges > Admin Privileges. 4. Click Import Admin Privileges. 5. Import the administrator privilege file you created in step 1. See Importing for details. After you complete steps 1-5, the new administrator privileges document is displayed on the Admin Privileges page.
//Refers to DashBoard //Refers to Monitoring PAGE 326Table 198: Log Configuration Service Log Configuration tab Parameters (Continued) Parameter Description Module Log Level Settings: Enable this option to set the log level for each module individually (listed in decreasing level of verbosity. For optimal performance you must run Policy Manager with log level set to ERROR or FATAL): l DEBUG l INFO l WARN l ERROR l FATAL If this option is disabled, then all module level logs are set to the default log level.
Table 199: Log Configuration System Level tab Parameters Parameter Description Select Server Specify the server for which to configure logs. Number of log files Specify the number of log files of a specific module to keep at any given time. When a log file reaches the specified size (see below), Policy Manager rolls the log over to another file until the specified number of log files is reached; once log files exceed this number, Policy Manager overwrites the first numbered file.
Figure 327: Server Configuration Page Editing Server Configuration Settings Navigate to the Administration > Server Manager > Server Configuration page, and click on a server name in the table. The Server Configuration form opens by default on the System tab.
Figure 329: System Tab Table 200: Server Configuration System tab Parameter Description Hostname Hostname of Policy Manager appliance. It is not necessary to enter the fully qualified domain name here. Policy Manager Zone Select a previously configured timezone from the drop-down list. Click on the Policy Manager Timezone link to add and edit timezones from within this page. Enable Profile Enable the profile to perform endpoint classifications.
Table 200: Server Configuration System tab (Continued) Parameter Description Management Port: Default Gateway Default gateway for management interface Data/External Port: IP Address Data interface IP address. All authentication and authorization requests arrive on the data interface.
Figure 330: Join AD Domain Table 201: Join AD Domain Parameters Parameter Description Domain Controller Fully qualified name of the Active Directory domain controller. NETBIOS name (optional) The NETBIOS name of the domain. Enter this value only if this is different from your regular Active Directory domain name. If this is different from your domain name (usually a shorter name), enter that name here. Contact your AD administrator about the NETBIOS name.
Add Password Server After CPPM is successfully joined to an AD domain, you can configure a restricted list of domain controllers to be used for MSCHAP authentication. If not configured, then all available domain controllers obtained from DNS will be included. Perform the following steps to add a password server. 1. In the AD Domains section of the System tab, click the Add Password Server icon. (See Figure 331.) Figure 331: Add Password Server icon 2. The Configure AD Password Servers page appears.
Figure 333: Services Control Tab Service Parameters Tab Navigate to the Service Parameters tab to change system parameters of a variety of services. The options on this page vary based on the selected service. Determine the service that you want to edit.
Table 202: Service Parameters tab - Async Network Services Parameter Description Post Auth Number of request processing threads Set the number of request processing threads. The default value is 20 threads, and the allowed values are between 20 and 100. Lazy handler polling frequency Set the Lazy handler polling frequency. The frequency is configured in minutes. The default value is 5 minutes, and the allowed values are from 3-10 minutes.
Table 203: Service Parameters - ClearPass network services Service Parameters Description DhcpSnooper MAC to IP Request Hold time Number of seconds to wait before responding to a query to get IP address corresponding to a MAC address. Any DHCP message received in this time period will refresh the MAC to IP binding. Typically, audit service will request for a MAC to IP mapping as soon the RADIUS request is received, but the client may take some more time receive and IP address through DHCP.
Table 203: Service Parameters - ClearPass network services (Continued) Service Parameters SNMP v3 Trap Authentication Key Description SNMP v3 authentication key and privacy key for incoming traps. SNMP v3 Trap Privacy Key Device Info Poll Interval This specifics the time (in minutes) between polling for device information.
Figure 337: ClearPass System Services Parameters (partial view) Table 204: Service Parameters - ClearPass system services Service Parameter Description PHP System Configuration Memory Limit Maximum memory that can be used by the PHP applications. Form POST Size Maximum HTTP POST content size that can be sent to the PHP application. File Upload Size Maximum file size that can be uploaded into the PHP application.
Table 204: Service Parameters - ClearPass system services (Continued) Service Parameter Description Maximum connections Specify a number between 300 and 1500 for a maximum number of allowed connections. TCP Keepalive Configurations Keep Alive Time Specify a value in seconds from 10-86400. Keep Alive Interval Specify a value in seconds from 1-3600. Keep Alive Probes Specify a value from 1-100 for the number of probes.
Table 205: Service Parameters tab - Policy Server service (Continued) Service Parameter Description External Posture Server Thread Pool Size This specifies the number of threads to use for posture servers. External Posture Server Primary Retry Interval After a primary posture server is down, Policy Manager connects to one of the backup servers. This parameter specifies how long Policy Manager waits before it tries to connect to the primary server again.
Table 206: Service Parameters tab - Radius Server Service (Continued) Service Parameter Description Maximum Response Delay Time delay before retrying a proxy request, if the target server has not responded. Maximum Reactivation Time Time to elapse before retrying a dead proxy server. Maximum Retry Counts Maximum number of times to retry a proxy request if the target server doesn't respond.
Table 206: Service Parameters tab - Radius Server Service (Continued) Service Parameter Description AD/LDAP Authentication Source Connection Count Maximum number of AD/LDAP connections opened. SQL DB Authentication Source Connection Count Maximum number of SQL DB. EAP - TLS Fragment Size Maximum size of the EAP-TLS fragment size. Use Inner Identity in Access-Accept Reply Specify TRUE or FALSE. TLS Session Cache Limit Number of TLS sessions to cache before purging the cache (used in TLS based 802.
Table 206: Service Parameters tab - Radius Server Service (Continued) Service Parameter Description Master Key Expire Time Lifetime of a generated EAP-FAST master key. Master Key Grace Time Grace period for an EAP-FAST master key after its lifetime. If a client presents a PAC that is encrypted using the master key in this period after its TTL, it is accepted and a new PAC encrypted with the latest master key is provisioned on the client.
Table 208: Services Parameters tab - System monitor service Service Parameter Description Free Disk Space Threshold This parameter monitors the available disk space. If the available disk free space falls below the specified threshold (default 30%), then system sends SNMP traps to the configured trap servers. 1 Min CPU load average Threshold These parameters monitor the CPU load average of the system, specifying thresholds for 1-min, 5-min and 15-min averages, respectively.
Figure 343: System Monitoring Tab Table 210: System Monitoring tab details Parameter Description System Location/System Contact: Policy Manager appliance location and contact information. SNMP Configuration: Version: V1, V2C or V3. SNMP Configuration: Community String: Read community string. SNMP Configuration: SNMP v3: Username: Username to use for SNMP v3 communication.
Network Tab Navigate to the Network tab to create GRE tunnels and VLANs related to guest users and to control what applications have access to the node. Figure 344: Network Interfaces Tab Creating GRE tunnels The administrator can create a generic routing encapsulation (GRE) tunnel. This protocol can be used to create a virtual point-to-point link over standard IP network or the internet. Navigate to the Network tab and click Create Tunnel.
Figure 346: Creating VLAN Page Table 212: Creating VLAN Parameters Parameter Description Physical Interface The physical port on which to create the VLAN interface. This is the interface through which the VLAN traffic will be routed. VLAN Name Name for the VLAN interface. This name is used to identify the VLAN in the list of network interfaces. VLAN ID 802.1Q VLAN identifier. Enter a value between 1- 4094. The VLAN ID cannot be changed after the VLAN interface has been created.
Figure 347: Restrict Access dialog box Table 213: Restrict Access Parameters Parameter Description Resource Name Select the application to which you want to allow or deny access. Access Select: l Allow to define allowed access. l Deny to define denied access. Network Enter one or more hostnames, IP addresses, or UP subnets, separated by commas. The devices defined by what you enter here will be either specifically allowed or specifically denied access to the application you select.
Figure 348: Change Date and Time - Date & Time tab Table 214: Change Date and Time - Date & Time tab Parameters Parameter Description Date in yyyy-mm-dd format To specify date and time, use the indicated syntax. This is available only when Synchronize time with NTP server is unchecked. Time in hh:mm:ss format Synchronize Time With NTP Server To synchronize with a Network Time Protocol Server, enable this check box and specify the NTP servers. Only two servers may be specified.
Figure 349: Time zone on publisher tab Change Cluster Password Navigate to Administration > Server Manager > Server Configuration, and click on the Change Cluster Password link. Use this function to change the cluster-wide password. Changing this password also changes the password for the CLI user - 'appadmin'. Figure 350: Change Cluster Password Dell Networking W-ClearPass Policy Manager 6.
Table 215: Change Cluster Password Parameter Description New Password Enter and confirm the new password. Verify Password Save/Cancel Commit or dismiss changes. Manage Policy Manager Zones CPPM shares a distributed cache of runtime state across all nodes in a cluster.
Table 216: Policy Manager Zones (Continued) Parameter Description Add Delete Select the delete (trashcan) icon to delete a zone. NetEvents Targets NetEvents are a collection of details for various ClearPass Policy Manager such as users, endpoints, guests, authentications, accounting details, and so on. This information is periodically posted to a server that is configured as the NetEvents target.
Figure 353: Virtual IP Settings Table 218: Virtual IP Settings Parameters Parameter Description Virtual IP Enter the IP address you want to define as the virtual IP address. Node Select the servers to use as the primary and secondary nodes. Interface Select the interface on each server where virtual IP address should be bound. Subnet This value is automatically entered. You do not need to change it. Enabled Select the check box to enable the Virtual IP address.
Table 219: Add Subscriber Node Parameter Description Publisher IP Publisher Password Specify publisher address and password. NOTE: The password specified here is the password for the CLI user appadmin Restore the local log database after this operation Enable to restore the log database following addition of a subscriber node. Do not backup the existing databases before this operation Enable this check box only if you do not require a backup to the existing database.
Figure 356: Cluster-Wide Parameters dialog box, General tab Figure 357: Cluster-Wide Parameters dialog box, Cleanup Interval tab Figure 358: Cluster-Wide Parameters dialog box, Notifications tab Figure 359: Cluster-Wide Parameters dialog box, Standby Publisher tab 354 | Administration Dell Networking W-ClearPass Policy Manager 6.
Figure 360: Cluster-Wide Parameters dialog box, Virtual IP Configuration tab Table 221: Cluster-Wide Parameters Parameter Description General Policy result cache cleanup timeout The number of minutes to store the role mapping and posture results derived by the policy engine during policy evaluation. This result can then be used in subsequent evaluation of policies associated with a service, if “Use cached Roles and Posture attributes from previous sessions” is turned on for the service.
Table 221: Cluster-Wide Parameters (Continued) Parameter Description Endpoint Context Servers polling interval Enter the number of minutes between polling of endpoint context servers. The default is 60. Cleanup Intervals Cleanup interval for session log details in the database The Number of days to keep the following data in the Policy Manager DB: session logs (found on Access Tracker), event logs (found on Event Viewer), machine authentication cache.
Table 221: Cluster-Wide Parameters (Continued) Parameter Description System Alert Level Alert notifications are generated for system events logged at this level or higher. Selecting INFO generates alerts for INFO, WARN and ERROR messages. Selecting WARN generates alerts for WARN and ERROR messages. Selecting ERROR generates alerts for ERROR messages. Alert Notification Timeout This indicates how often (in hours) alert messages are generated and sent out. Selecting ‘Disabled” disables alert generation.
Figure 361: Collect Logs 3. Enter a filename and add the .tar.gz extension to the filename. 4. Select the types of logging information you want to collect: n System Logs n Logs from all Policy Manager services n Capture network packets for the specified duration. Use this with caution, and use this only when you want to debug a problem. System performance can be severely impacted. n Diagnostic dumps from Policy Manager services n Backup CPPM Configuration data 5.
Figure 362: Backup Popup Table 222: Backup Parameter Description Generate filename Enable to have Policy Manager generate a filename; otherwise, specify Filename. Backup files are in the gzipped tar format (tar.gz extension). The backup file is automatically placed in the Shared Local Folder under folder type Backup Files (See Local Shared Folders). Filename Do not backup log database Select this if you do not want to backup the log database.
Figure 363: Restore Table 223: Restore Parameter Description Restore file location Select either Upload file to server or File is on server. Upload file path Browse to select name of backup file. NOTE: This option is only available only when the Upload file to server option is selected. Shared backup files present on the server If the files is on a server, select a file from the files in the local shared folders. (See Local Shared Folders.
Shutdown/Reboot Navigate to the Administration > Server Manager > Server Configuration page, and click on the Shutdown or Reboot buttons to shutdown or reboot the node. Drop Subscriber Navigate to the Administration > Server Manager > Server Configuration page, and click on the Drop Subscriber button to drop a subscriber from the cluster. This option is not available in a single node deployment. Local Shared Folders Select the specific folder from the Select folder drop-down list.
On a VM instance of CPPM, the permanent license must be entered. These licenses are listed in the tables on the License Summary tab. There is one entry per server node in the cluster. All application licenses are also listed on the Applications tab. You can add and activate OnGuard, Guest, Onboard, Enterprise, and WorkSpace application licenses. The Summary section shows the number of purchased licenses for Policy Manager, OnGuard, Guest, Onboard, and WorkSpace.
Figure 368: Online Activation Page Adding an Application License You can add a license by clicking the Add License button on the top right portion of this page. 1. Select a product from the drop-down list. WorkSpace licenses require a valid Onboard or ClearPass Enterprise license. The default 25 endpoint ClearPass Enterprise license does not qualify. 2. Enter the license key for the new license. 3. Read the Terms and Conditions before adding a license. 4.
3. Click an application anywhere except in the Activation Status column. The Update License page appears. 4. Enter the New License Key. 5. Read the Terms and Conditions, then select the I agree to the above terms and conditions check box. 6. Click Update. SNMP Trap Receivers Policy Manager sends SNMP traps that expose the following server information: l System uptime. Conveys information about how long the system is running. l Network interface statistics [up/down].
Adding an SNMP Trap Server To add a trap server, navigate to Administration > External Servers > SNMP Trap Receivers and select the Add SNMP Trap Server link. Figure 371: Add SNMP Trap Server Table 224: Add SNMP Trap Server fields Parameter Description Host Address: Trap destination hostname or ip address. NOTE: This server must have an SNMP trap receiver or trap viewer installed. Description: Freeform description. SNMP Version: V1 or V2C.
Figure 372: Import SNMP Trap Server Table 225: Import SNMP Trap Server Parameter Description Select File: Browse to the SNMP Trap Server configuration file to be imported. Enter secret for the file (if any): If the file was exported with a secret key for encryption, enter the same key here. Syslog Targets Dell Networking W-ClearPass Policy Manager can export session data (see "Access Tracker" on page 33), audit records (see "Audit Viewer" on page 58) and event records (see "Event Viewer" on page 63).
Table 226: Syslog Target Configuration (Continued) Parameter Description Export Opens the Export popup. Delete To delete a Syslog Target, select it (check box at left) and click Delete. Add Syslog Target To add a Syslog Target, navigate to Administration > External Servers > Syslog Targets and select Add Syslog Target. Figure 374: Add Syslog Target Table 227: Add Syslog Target Parameter Description Host Address Syslog server hostname or IP address. Description Freeform description.
Figure 375: Import Syslog Target Table 228: Import from file Parameter Description Select File Browse to the Syslog Target configuration file to be imported. Enter secret for the file (if any) If the file was exported with a secret key for encryption, enter the same key here. Import/Cancel Click Import to commit, or Cancel to dismiss the popup. Export Syslog Target Navigate to Administration > External Servers > Syslog Targets and select the Export Syslog Target link.
Figure 376: Syslog Export Filters Page Table 229: Syslog Export Filters Page Parameters Parameter Description Add Syslog Filter Opens Add Syslog Filter page (Administration > External Servers > Syslog Export Filters > Add). Import Syslog Filter Opens Import Syslog Filter popup. Export Syslog Filter Opens Export Syslog Filter popup. Enable/Disable Click the toggle button Enable/Disable to enable or disable the syslog filter. Export Opens Export popup.
Table 230: Import from File (Continued) Parameter Description Enter secret for the file (if any) If the file was exported with a secret key for encryption, enter the same key here. Import/Cancel Click Import to commit, or Cancel to dismiss the popup. Export Syslog Filter Navigate to Administration > External Servers > Syslog Filters and select the Export Syslog Filter link. The Export Syslog Filter link exports all configured syslog filters. Click Export Syslog Filter.
Table 231: Add Syslog Filters (Filter and Columns tab) Parameter Description Data Filter Specify the data filter. The data filter limits the type of records sent to syslog target. Modify/ Add new Data filter Modify the selected data filter, or add a new one. Columns Selection This provides a way to limit the type of columns sent to syslog. Specifying a data filter filters the rows that are sent to the syslog target. You may also select the columns that are sent to the syslog target.
Table 232: Syslog Export Filters General tab Parameters Parameter Description Name/Description Enter name and description in the respective text fields. Export Template Session Logs, Audit Records or System Events Syslog Servers Syslog servers define the receivers of syslog messages sent by servers in the ClearPass cluster. To add a syslog server, select it from the drop-down list. l To view details about a syslog server, select it, then select View Details.
Table 233: Syslog Export Filters Summary tab Parameters (Continued) Parameter Description Export Template: The template selected as the export template. Syslog Servers: IP address of the syslog server selected during configuration. ClearPass Servers: IP address of the ClearPass Servers selected during configuration. Filter and Columns: Data Filter: Displays the data filter selected when configuring Option 1 on the Filter and Columns tab.
Table 234: Messaging Setup MTP Servers tab Parameters Parameter Description Select Server: Specify the server for which to configure messaging. All nodes in the cluster appear in the drop-down list. Use the same settings for sending both emails and SMSes: Check this box to configure the same settings for both your SMTP and SMS email servers. This box is checked, by default. Server name: Fully qualified domain name or IP address of the server.
Endpoint Context Servers Policy Manager provides the ability to collect endpoint profile information from different types of Dell W-Series IAPs and RAPs via Aruba Activate. Policy Manager supports Aruba Activate, Palo Alto Networks Firewall and Panorama, and MDM (Mobile Device Management) from Airwatch, JAMF, MaaS360, MobileIron, SOTI, and XenMobile. The mobile device management platforms run on MDM servers.
Figure 383: Add Air Watch Server tab Table 236: Add Air Watch Server tab Parameters Parameter Description Select Server Type: Add Air Watch. Server Name: Enter a valid server name. You can enter an IP address or domain name. Server Base URL: Enter the full URL for the server. The default is the name you entered above with "https://" prepended. You can append a custom port, such as for an MDM server: https://yourserver.yourcompany.com:customerportnumber. Username: Enter the username.
Figure 384: Add AirWatch Actions tab Table 237: Add Air Watch Actions tab Parameters Parameter Description Clear Passcode Reset passcode on the device. Enterprise Wipe Deletes only stored corporate information. Lock Device Locks the associated device. Remote Wipe Deletes all stored information. Adding an Air Wave Endpoint Context Server Consult the endpoint manufacturer's documentation for information about the parameters that you must enter to configure this endpoint.
Table 238: Add Air Wave Endpoint Context Server tab Parameters Parameter Description Select Server Type: Air Wave Server Name: Enter a valid server name. You can enter an IP address or domain name. Server Base URL: Enter the full URL for the server. The default is the name you entered above with "https://" prepended. You can append a custom port, such as for an MDM server: https://yourserver.yourcompany.com:customerportnumber. Username: Enter the username. Password: Enter the password.
Table 239: Add Aruba Activate Endpoint Context Server tab Parameter Parameter Description Select Server Type: Aruba Activate Server Name: Enter a valid server name. You can enter an IP address or domain name. Server Base URL: Enter the full URL for the server. The default is the name you entered above with "https://" prepended. You can append a custom port, such as for an MDM server: https://yourserver.yourcompany.com:customerportnumber. Username: Enter the username.
Table 240: Add Generic HTTP Endpoint Context Server tab Parameters Parameter Description Select Server Type: Generic HTTP Server Name: Enter a valid server name. You can enter an IP address or domain name. Server Base URL: Enter the full URL for the server. The default is the name you entered above with "https://" prepended. You can append a custom port, such as for an MDM server: https://yourserver.yourcompany.com:customerportnumber. Username: Enter the username.
Adding a JAMF Endpoint Context Server Consult the endpoint manufacturer's documentation for information about the parameters that you must enter to configure this endpoint. Figure 389: Add JAMF Endpoint Context Server tab Table 242: Add JAMF Endpoint Context Server tab Parameters Parameter Description Select Server Type: Policy Manager appliance location and contact information. Server Name: V1, V2C or V3. Server Base URL: Read community string. Username: Username to use for SNMP v3 communication.
Figure 390: Add MaaS360 Endpoint Context Server tab Table 243: Add MaaS360 Endpoint Context Server tab Parameters Parameter Description Select Server Type: MaaS360 Server Name: Enter a valid server name. You can enter an IP address or domain name. Server Base URL: Enter the full URL for the server. The default is the name you entered above with "https://" prepended. You can append a custom port, such as for an MDM server: https://yourserver.yourcompany.com:customerportnumber.
Adding a MobileIron Endpoint Context Server Consult the endpoint manufacturer's documentation for information about the parameters that you must enter to configure this endpoint. Figure 391: Add MobileIron Endpoint Context Server tab Table 244: Add MobileIron Endpoint Context Server tab Parameters Parameter Description Select Server Type: Select MobileIron. Server Name: Enter server name. Server Base URL: Enter the URL of the base server. Username: Enter the username.
Figure 392: Add MobileIron Endpoint Context Server Actions tab Table 245: Add MobileIron Endpoint Context Server Actions tab Parameter Description Parameter Description Lock Device Locks the associated device. Remote Wipe Deletes all stored information. Adding a Palo Alto Networks Firewall Consult the endpoint manufacturer's documentation for information about the parameters that you must enter to configure this endpoint.
Table 246: Add Palo Alto Networks Firewall tab Parameters Parameter Description Select Server Type: Palo Alto Networks Firewall. Server Name: Enter the server name. Server Base URL: Enter the server base URL. Username: Enter the user name. Password: Enter the password. Verify Password: Re-enter the password. Use Full Username: Click to use full user name in UID updates. GlobalProtect: Click to enable GlobalProtect on Palo Alto Networks Firewall.
Table 247: Palo Alto Networks Panorama Endpoint Context Server tab Parameters (Continued) Parameter Description Server Name: Enter the server name. Server Base URL: Enter the base URL of the server. Username: Enter the username. Password: Enter the password. Verify Password: Re-enter the password. Use Full Username: Click to use full username in UID updates. GlobalProtect: Click to enable GlobalProtect on Palo Alto Networks Firewall.
Table 248: Add SOTI Endpoint Context Server tab Parameters (Continued) Parameter Description Server Name: Enter the server name. Server Base URL: Enter the base URL of the server. Username: Enter the user name. Password: Enter the password. Verify Password: Re-enter the password. Group ID: (optional) Enter the group ID. Validate Server: Click to enable validation of the server.
Table 249: Add XenMobile Endpoint Context Server tab Parameter Description (Continued) Parameter Description Password: Enter the password. Verify Password: Re-enter the password. Validate Server: Click to enable validation of the server certificate. Server Certificate The page displayed after you click Administration > Certificates > Server Certificates depends on whether the RADIUS Server Certificate Type or the HTTPS Service Certificate Type was assigned to the selected server.
Table 250: Server Certificate Interfaces (Common) (Continued) Parameter Description Export Server Certificate After you click this link, the Self-Signed Certificate that is in use is downloaded. The default location for an exported certificate is C:// /Downloads/ or
Table 252: Server Certificate Page (HTTPS Server Certificate Type) Parameters Parameter Description Subject: Common. Issued by: Displays Organization and Common Name. Issue Date: The date the Self-Signed Certificate was installed. Expiry Date: The date (in days) for which the Self-Signed Certificate is valid. Validity Status: The status of the Self-Signed Certificate.
Figure 399: Generated Certificate Signing Request Table 253: Create Certificate Signing Request Parameters Parameter Description Common Name (CN): Name associated with this entity. This can be a host name, IP address or other meaningful name. This field is required. The default is the fully-qualified domain name (FQDN). Organization (O): Name of the organization. This field is optional. Organizational Unit (OU): Name of a department, division, section, or other meaningful name.
Table 253: Create Certificate Signing Request Parameters (Continued) Parameter Description Private Key Password: Specify and verify password. This field is required. Verify Private Key Password: Key Length: Select length for the generated private key: 512, 1024, or 2048. The default is 2048. Digest Algorithm: Select message digest algorithm to use: SHA-1, MD5, and MD2. Submit: Click this button to generate a Certificate Signing Request, as shown above.
Table 254: Create Self-Signed Certificate Page Parameters Parameter Description Selected Server: Displays the name of the server selected on the Server Certificate page. Selected Type: Displays the name of the selected certificate type selected for the server. Common Name (CN): Name associated with this entity. This can be a host name, IP address or other meaningful name. This field is required. Organization (O): Name of the organization. This field is optional.
Installing the self-signed certificate After you click Submit, you will be prompted to install the self-signed certificate. The pop-up displays a summary of the values selected on the Create Self-Signed Certificate page. Figure 401: Install Self Signed Certificate Table 255: Install Self-Signed Certificate Page Parameters Parameter Description Selected Server: Displays the name of the server selected on the first page. Selected Type: Displays the name of the certificate type selected for the server.
Table 255: Install Self-Signed Certificate Page Parameters (Continued) Parameter Description Submit/Cancel: After you click Install, Policy Manager generates a message about the status of the certificate installation. If the installation is successful the page displays "Server Certificate updated successfully. Please login again to continue..." NOTE: Because all services are restarted after successful certificate installation, you must click Logout and login to the CPPM client to continue.
Certificate Trust List To display the list of trusted Certificate Authorities (CAs), navigate to Administration > Certificates > Certificate Trust List. To add a certificate, click Add Certificate; to delete a certificate, select the check box to the left of the certificate and then click Delete. Figure 403: Certificate Trust List Table 257: Certificate Trust List Parameter Description Subject The Distinguished Name (DN) of the subject field in the certificate.
Revocation Lists To display available Revocation Lists, navigate to Administration > Certificates > Revocation Lists. To add a revocation list, click Add Revocation List. To delete a revocation list, select the check box to the left of the list and then click Delete. Figure 405: Revocation Lists Table 259: Revocation Lists Parameter Description Add Revocation List Click to launch the Add Revocation List popup.
Parameter Description URL URL enables the Distribution URL option. Distribution URL: Specify the distribution URL (e.g., http://crl.verisign.com/Class3InternationalServer.crl) to fetch the certificate revocation list. Auto Update: Select Update whenever CRL is updated to update the CRL at intervals specified in the list. Or select Periodically update to check periodically and at the specified frequency (in days).
Figure 408: RADIUS IETF Dictionary Attributes Table 261: RADIUS Dictionary Attributes Parameter Description Export Click to save the dictionary file in XML format. You can make modifications to the dictionary and import the file back into Policy Manager. Enable/Disable Enable or disable this dictionary. Enabling a dictionary makes it appear in the Policy Manager rules editors (Service rules, Role mapping rules, etc.). Import RADIUS Dictionary You can add additional dictionaries using the Import too.
Table 262: Import RADIUS Dictionary Parameter Description Select File Browse to select the file that you want to import. Enter secret for the file (if any) If the file that you want to import is password protected, enter the secret here. Posture Dictionary To add a vendor posture dictionary, click on Import Dictionary. To edit an existing dictionary, export an existing dictionary, edit the exported XML file, and then import the dictionary.
Table 264: Posture Attributes Parameters Parameter Description Export Click to save the posture dictionary file in XML format. You can make modifications to the dictionary and import the file back into Policy Manager. TACACS+ Services Dictionary To view the contents of the TACACS+ service dictionary, sorted by Name or Display Name, navigate to: Administration > Dictionaries > TACACS+ Services. To add a new TACACS+ service dictionary, click on the Import Dictionary link.
Figure 413: Shell Service Dictionary Attributes Fingerprints Dictionary The Device Fingerprints table shows a listing of all the device fingerprints recognized by the Profile module. These fingerprints are updated from the Dell W-ClearPass Update Portal (see "Software Updates" on page 411 for more information.) Figure 414: Device Fingerprints Page You can click on a line in the Device Fingerprints list to drill down and view additional details about the category.
Figure 415: Device Fingerprint Dictionary Attributes Page Attributes Dictionary The Administration > Dictionaries > Attributes page allows you to specify unique sets of criteria for LocalUsers, GuestUsers, Endpoints, and Devices. This information can then be with role-based device policies for enabling appropriate network access.
Table 266: Attributes Page Parameters Parameter Description Filter Use the drop-down list to create a search based on the available Name, Entity, Data Type, Is Mandatory, or Allow Multiple settings. Name The name of the attribute. Entity Shows whether the attribute applies to a LocalUser, GuestUser, Device, or Endpoint. Data Type Shows whether the data type is string, integer, boolean, list, text, date, MAC address, or IPv4 address.
Table 267: Attribute Setting Parameters (Continued) Parameter Description Is Mandatory Specify whether the attribute is required for a specific entity. Allow Multiple Specify whether multiple attributes are allowed for an entity. NOTE: Multiple attributes are not permitted if Is Mandatory is specified as Yes. Import Attributes Select Import Attributes on the upper right portion of the page. The imported file is in XML format.
To export just one attribute, select it (check box at left) and click Export. Your browser will display its normal Save As dialog, in which to enter the name of the XML file to contain the export. Applications Dictionary Application dictionaries define the attributes of the Onboard and WorkSpacePolicy Manager applications and the type of each attribute.
l "Filter an Endpoint Context Server Action Report" on page 407 l "View Details About Endpoint Context Server Actions" on page 407 l "Add an Endpoint Context Server Action Item" on page 407 l "Import Context Server Actions" on page 408 l "Export Context Server Actions" on page 409 Figure 419: Endpoint Context Server Actions Page Table 269: Endpoint Context Server Action Page Parameters Parameter Description Server Type The server type configured when the server action was configured.
Figure 420: Endpoint Context Server Details Action tab Table 270: Endpoint Context Server Action tab Parameters Parameter Description Action Specifies the server type, name, description and HTTP Method. Enter the URL of the server. Header Specifies the key-value pairs to be included in the HTTP Header. Content Specifies a content-Type. Choose from CUSTOM, HTML, JSON, PLAIN, XML. Attributes Specifies the mapping for attributes used in the content to parameterized values from the request.
Table 271: Import Context Server Action Parameter Description Select File / Enter secret for the file (if any) Browse to the dictionary file to be imported. Enter the secret key (if any) that was used to export the dictionary. Import/Cancel Click Import to commit, or Cancel to dismiss the popup. Export Context Server Actions Select Export Attributes on the upper right portion of the page. The file that you export will be sent to your default download folder in XML format.
Table 273: OnGuard Settings Container Description Global Agent Settings Configure global parameters for OnGuard agents. Parameters include the following: l Allowed Subnets for Wired access: Add a comma-separated list of IP or subnet addresses. l Allowed Subnets for Wireless access: Add a comma-separated list of IP or subnet addresses. l Cache Credentials Interval (in days): Select the number of days the user credentials should be cached on OnGuard agents.
Table 273: OnGuard Settings (Continued) Container Description Mac OS X The URLs for the different agent deployment packages for Mac OS X. Agent Customization Managed Interfaces Mode Select the type(s) of interfaces that OnGuard will manage on the endpoint. Options include: l Wired l Wireless l VPN l Other Select one of: Authenticate - no health checks. l Check health - no authentication. OnGuard does not collect username/password. l Authenticate with health checks.
l Profile data updates, including Fingerprint l Software upgrades for the ClearPass family of products l Patch binaries, including Onboard, Guest Plugins and Skins Updates are stored on the ClearPass webservice server. When a valid Subscription ID is saved, the Dell Networking WClearPass Policy Manager server periodically communicates with the webservice about available updates. It downloads any available updates to the Dell Networking W-ClearPass Policy Manager server.
Table 274: Software Updates Page Parameters (Continued) Parameter Description Firmware & Patch Updates Import Updates If the server is not able to reach the webservice server, click Import Updates to import the latest signed Firmware and Update patch binaries (obtained via support or other means) into this server. These will show up in the table and can be installed by clicking on the Install button.
Figure 424: Install Update Page Table 275: Install Update Page Parameters Parameter Description Close Click on this button to close the dialog box. Clear & Close Click on this button to delete the log messages and close the popup. This will also remove the corresponding row from the Firmware & Patch Updates table. Reboot This button appears only for the updates requiring a reboot to complete the installation. Click on this button to initiate a reboot of the server.
MySQL is supported in versions 6.0 and newer. Aruba does not ship MySQL drivers by default. If you require MySQL, contact Aruba support to get the required patch. This patch does not persist across upgrades, so customers using MySQL should contact support before they upgrade. Upgrade the Image on a Single Policy Manager Appliance Perform these steps to upgrade the image on a single Policy Manager appliance: 1.
Support The Administration > Support pages provide information for contacting support, setting up a remote assistance session, and viewing ClearPass documentation. For more information, see: l "Contact Support" on page 416 l "Remote Assistance" on page 416 l "Documentation" on page 418 Contact Support The Administration > Support > Contact Support page provides you with information on how to contact Dell Support.
Table 276: Remote Assistance Session Page Parameters Parameter Description Name Text name of session. Type Indicates if the session is a one-time session or a periodic session. Move the cursor over the entry to view the schedule of the session. Support Contact The email address of the support contact. Status Provides the session state.
Table 278: Add Session Page Parameters (Continued) Parameter Session Type Description l l l Duration Status One Time Future (will initiate a session in future, on a selected date and time) Weekly (will initiate a session on a selected Weekday at the selected time) Monthly (will initiate a session on a selected day of every month at the selected time) The duration of a session is specified in Hours and Minutes.
Figure 428: Documentation page Dell Networking W-ClearPass Policy Manager 6.
| Administration Dell Networking W-ClearPass Policy Manager 6.
Appendix A Command Line Interface Refer to the following sections: l "Available Commands" on page 421 l "Cluster Commands" on page 423 l "Configure Commands" on page 426 l "Network Commands" on page 428 l "Service Commands" on page 431 l "Show Commands" on page 432 l "System Commands" on page 434 l "Miscellaneous Commands" on page 437 Available Commands Table 279: Command Categories Command ad auth See "Miscellaneous Commands" on page 437 ad netleave See "Miscellaneous Commands" on page 437
Table 279: Command Categories (Continued) Command cluster set-local-passwd configure date configure dns configure hostname configure ip configure timezone dump certchain See "Miscellaneous Commands" on page 437 dump logs See "Miscellaneous Commands" on page 437 dump servercert See "Miscellaneous Commands" on page 437 exit See "Miscellaneous Commands" on page 437 help See "Miscellaneous Commands" on page 437 krb auth See "Miscellaneous Commands" on page 437 krb list See "Miscellaneous Commands" on page 437
Table 279: Command Categories (Continued) Command restore See "Miscellaneous Commands" on page 437 service activate service deactivate service list service restart service start service status service stop show date show dns show domain show all-timezones show hostname show ip showlicense show timezone show version system boot-image system gen-support-key system update system restart system shutdown system install-license system upgrade Cluster Commands The Policy Manager command line interface includes t
l "drop-subscriber" on page 424 l "list" on page 424 l "make-publisher" on page 424 l "make-subscriber" on page 425 l "reset-database" on page 425 l "set-cluster-passwd" on page 425 l "set-local-passwd" on page 426 drop-subscriber Removes specified subscriber node from the cluster. Syntax cluster drop-subscriber [-f] [-i ] -s Where: Table 280: Drop-Subscriber Commands Flag/Parameter Description -f Force drop, even for down nodes.
Example [appadmin]# cluster make-publisher ******************************************************** * WARNING: Executing this command will promote the * * current machine (which must be a subscriber in the * * cluster) to the cluster publisher. Do not close the * * shell or interrupt this command execution. * ******************************************************** Continue? [y|Y]: y make-subscriber Makes this node a subscriber to the specified publisher node.
Returns [appadmin]# cluster set-cluster-passwd cluster set-cluster-passwd Enter Cluster Passwd: santaclara Re-enter Cluster Passwd: santaclara INFO - Password changed on local (publisher) node Cluster password changed set-local-passwd Changes the local password. Executed locally; prompts for the new local password.
Table 282: Date Commands (Continued) Flag/Parameter Description -t
Table 283: IP Commands Flag/Parameter ip Description Network interface type: mgmt or data l Server ip address. netmask Netmask address. gateway Gateway address. Example [appadmin]# configure ip data 192.168.5.12 netmask 255.255.255.0 gateway 192.168.5.1 timezone Configures time zone interactively.
Table 284: IP Commands Flag/Parameter Description Specify management or data interface -i id of the network ip rule. If unspecified, the system will auto-generate an id. Note that the id determines the priority in the ordered list of rules in the routing table. -s Optional. Specifies the ip address or network (for example, 192.168.5.0/24) or 0/0 (for all traffic) of traffic originator. Only one of SrcAddr or DstAddr must be specified. -d Optional.
Table 286: Nslookup Commands Flag/Parameter Description Type of DNS record. For example, A, CNAME, PTR Host or domain name to be queried. Example 1 [appadmin]# nslookup sun.us.arubanetworks.com Example 2 [appadmin]# nslookup -q SRV arubanetworks.com ping Tests reachability of the network host. Syntax network ping [-i ] [-t] Where: Table 287: Ping Commands Flag/Parameter Description -i Optional. Originating IP address for ping. -t Optional.
Example [appadmin]# network reset data traceroute Prints route taken to reach network host. Syntax network traceroute Where: Table 289: Traceroute Commands Flag/Parameter Description Name of network host. Example [appadmin]# network traceroute sun.us.arubanetworks.
Example 1 [appadmin]# service activate tips-policy-server Example 2 [appadmin]# service list all service list Policy server [ tips-policy-server ] Admin UI service [ tips-admin-server ] System auxiliary services [ tips-system-auxiliary-server ] Radius server [ tips-radius-server ] Tacacs server [ tips-tacacs-server ] Async DB write service [ tips-dbwrite-server ] DB replication service [ tips-repl-server ] System monitor service [ tips-sysmon-server ] Example 3 [appadmin]# service status tips-domain-ser
Example [appadmin]# show date Wed Oct 31 14:33:39 UTC 2012 dns Displays DNS servers. Syntax show dns Example [appadmin]# show dns show dns =========================================== DNS Information ------------------------------------------Primary DNS : 192.168.5.3 Secondary DNS : Tertiary DNS : =========================================== domain Displays Domain Name, IP Address, and Name Server information.
Subnet Mask : 255.255.255.0 Gateway : 192.168.5.1 =========================================== Device Type : Data Port ------------------------------------------IP Address : Subnet Mask : Gateway : =========================================== DNS Information ------------------------------------------Primary DNS : 192.168.5.
l "install-license" on page 435 l "restart" on page 436 l "shutdown" on page 436 l "update" on page 436 l "upgrade" on page 437 boot-image Sets system boot image control options. Syntax system boot-image [-l] [-a ] Where: Table 291: Boot-Image Commands Flag/Parameter Description -l Optional. List boot images installed on the system. -a Optional. Set active boot image version, in A.B.C.D syntax.
Example [appadmin]# system install-license morph-vm Converts an evaluation VM to a production VM. With this command, licenses are still required to be installed after the morph operation is complete. Syntax system morph-vm Where: Table 293: Install-License Commands Flag/Parameter Description Mandatory. This is the updated ClearPass version.
Syntax system update [-i user@hostname:/ | http://hostname/] system update [-l] Where: Table 294: Update Commands Flag/Parameter Description -i user@hostname:/ | http://hostname/ Optional. Install the specified patch on the system. -l Optional. List the patches installed on the system. NOTE: This command supports only SCP and http uploads. Example [appadmin]# system update upgrade Upgrades the system.
l "ad netleave" on page 439 l "ad testjoin" on page 439 l "alias" on page 439 l "backup" on page 440 l "dump certchain" on page 440 l "dump logs" on page 440 l "dump servercert" on page 441 l "exit" on page 441 l "help" on page 441 l "krb auth" on page 442 l "krb list" on page 442 l "ldapsearch" on page 442 l "quit" on page 443 l "restore" on page 443 l "system start-rasession" on page 444 l "system terminate-rasession" on page 444 l "system status-rasession" on page 444 ad
Table 297: Ad Netjoin Commands Flag/Parameter Description Required. Host to be joined to the domain. [domain NETBIOS name] Optional. Example [appadmin]# ad netjoin atlas.us.arubanetworks.com ad netleave Removes host from the domain. Syntax ad netleave Example [appadmin]# ad netleave ad testjoin Tests if the netjoin command succeeded. Tests if Policy Manager is a member of the AD domain.
backup Creates backup of Policy Manager configuration data. If no arguments are entered, the system auto-generates a filename and backs up the configuration to this file. Syntax backup [-f ] [-L] [-P] Where: Table 299: Backup Commands Flag/Parameter Description -f Optional. Backup target. If not specified, Policy Manager will auto-generate a filename. -L Optional. Do not backup the log database configuration -P Optional.
Table 301: Dump Logs Commands Flag/Parameter Description -f Specifies target for concatenated logs. -s yyyy-mm-dd Optional. Date range start (default is today). -e yyyy-mm-dd Optional. Date range end (default is today). -n Optional. Duration in days (from today). -t Optional. Type of log to collect. -h Specify (print help) for available log types. Example 1 [appadmin]# dump logs –f tips-system-logs.
Example [appadmin]# help alias backup cluster configure dump exit help netjoin netleave network quit restore service show system help Create aliases Backup Policy Manager data Policy Manager cluster related commands Configure the system parameters Dump Policy Manager information Exit the shell Display the list of supported commands Join host to the domain Remove host from the domain Network troubleshooting commands Exit the shell Restore Policy Manager database Control Policy Manager services Show configur
Table 304: LDAP Search commands Flag/Parameter Description Specifies the username and the full qualified domain name of the host. The -B command finds the bind DN of the LDAP directory. Example [appadmin]# ldapsearch -B admin@corp-ad.acme.com quit Exits shell. Syntax quit Example [appadmin]# quit restore Restores Policy Manager configuration data from the backup file.
system start-rasession Allows administrators to configure and begin a Remote Assistance session through the CPPM CLI. Configuring a Remote Assistance session through a CLI can be used if the CPPM UI at the customer site is inaccessible. Syntax system start-rasession Where: Table 306: Start Remote Session Commands Flag/Parameter Description Defines the duration in hours of the Remote Assistance Session.
Appendix B Rules Editing and Namespaces In the Policy Manager administration User Interface (UI) you use the same editing interface to create different types of objects: l Service rules l Role mapping policies l Internal user policies l Enforcement policies l Enforcement profiles l Post-audit rules l Proxy attribute pruning rules l Filters for Access Tracker and activity reports l Attributes editing for policy simulation When editing all these elements, you are presented with a tabular in
l "Audit Namespaces" on page 447 l "Authentication Namespaces" on page 447 l "Authorization Namespaces" on page 449 l "Certificate Namespaces" on page 450 l "Connection Namespaces" on page 451 l "Date Namespaces" on page 452 l "Device Namespaces" on page 452 l "Endpoint Namespaces" on page 453 l "Guest User Namespaces" on page 453 l "Host Namespaces" on page 453 l "Local User Namespaces" on page 453 l "Posture Namespaces" on page 454 l "RADIUS Namespaces" on page 454 l "Tacacs Nam
l MDM-Data-Roaming l MDM-Voice-Roaming l Onboard-Max-Devices l Page-Name l Provisioning-Settings-ID l SAMLRequest l SAMLResponse l Session-Timeout l User-Email-Address Audit Namespaces The Dictionaries in the audit namespace come pre-packaged with the product. The Audit namespace has the notation Vendor:Audit, where Vendor is the name of the company that has defined attributes in the dictionary. Examples of dictionaries in the audit namespace are AvendaSystems:Audit or Qualys:Audit.
Table 310: Authentication Namespace Attributes Attribute Name InnerMethod Values l l l l l l l OuterMethod l l l l l l l l Phase1PAC l l l Phase2PAC l l l Posture l l l l Status l l l l l 448 | Rules Editing and Namespaces CHAP EAP-GTC EAP-MD5 EAP-MSCHAPv2 EAP-TLS MSCHAP PAP CHAP EAP-FAST EAP-MD5 EAP-PEAP EAP-TLS EAP-TTLS MSCHAP PAP None - No PAC was used to establish the outer tunnel in the EAP-FAST authentication method Tunnel - A tunnel PAC was used to establish the outer tunnel in the
Table 310: Authentication Namespace Attributes (Continued) Attribute Name MacAuth Values l l l NotApplicable - Not a MAC Auth request Known Client - Client MAC address was found in an authentication source Unknown Client - Client MAC address was not found in an authentication source Username The username as received from the client (after the strip user name rules are applied). FullUsername The username as received from the client (before the strip user name rules are applied).
Sources This is the list of the authorization sources from which attributes were fetched for role mapping. Authorization namespaces appear in Role mapping policies SQL Instance Namespace For each instance of an SQL authentication source, there is an SQL instance namespace that appears in the rules editing interface. The SQL instance namespace consists of attributes names defined when you created an instance of this authentication source. The attribute names are pre-populated for administrative convenience.
Table 311: Certificate Namespace Attributes (Continued) Attribute Name l l l l l l l l l l l l l l l l l l l Values Issuer-C Issuer-CN Issuer-DC Issuer-DN Issuer-emailAddress Issuer-GN Issuer-L Issuer-O Issuer-OU Issuer-SN Issuer-ST Issuer-UID Attributes associated with the issuer (Certificate Authorities or the enterprise CA). Not all of these fields are populated in a certificate.
Table 312: Connection Namespace Pre-defined Attributes (Continued) Attribute Description NAD-IP-Address IP address of the network device from which the request originated. Client-Mac-Address MAC address of the client. l l l l Client-Mac-Address-Colon Client-Mac-Address-Dot Client-Mac-Address-Hyphen Client-Mac-Address-Nodelim Client-IP-Address Client MAC address in different formats. IP address of the client (if known).
Endpoint Namespaces Use these attributes to look for attributes of authenticating endpoints, which are present in the Policy Manager endpoints list. The Endpoint namespace has the following attributes: l Disabled By l Disabled Reason l Enabled By l Enabled Reason l Info URL Guest User Namespaces The GuestUser namespace has the attributes associated with the guest user (resident in the Policy Manager guest user database) who authenticated in this session.
l Phone l Sponsor Custom attributes also appear in the attribute list if they are defined as custom tags for the local user. These attributes can be used only if you have pre-populated the values for these attributes when a local user is configured in Policy Manager. Posture Namespaces The dictionaries in the posture namespace are pre-packaged with the product.
l Post-proxy attribute pruning rules l RADIUS Enforcement profiles: All RADIUS namespace attributes that can be sent back to a RADIUS client (the ones marked with the OUT or INOUT qualifier) l Role mapping policies l Service rules: All RADIUS namespace attributes that can appear in a request (the ones marked with the IN or INOUT qualifier) Tacacs Namespaces The Tacacs namespace has the attributes associated with attributes available in a TACACS+ request.
Table 313: Policy Manager Variables Variable Description %{attributename} attribute-name is the alias name for an attribute that you have configured to be retrieved from an authentication source. See "Adding and Modifying Authentication Sources" on page 149. % {RADIUS:IETF:MACAddress-Colon} MAC address of client in aa:bb:cc:dd:ee:ff format % {RADIUS:IETF:MACAddress-Hyphen} MAC address of client in aa-bb-cc-dd-ee-ff format % {RADIUS:IETF:MACAddress-Dot} MAC address of client in aabb.ccdd.
Table 314: Attribute Operators Attribute Type String Operators l l l l l l l l l l l l l l l l Integer l l l l l l l l l l Dell Networking W-ClearPass Policy Manager 6.
Table 314: Attribute Operators (Continued) Attribute Type Operators Time or Date l EQUALS NOT_EQUALS l GREATER_THAN GREATER_THAN_OR_EQUALS l l LESS_THAN LESS_THAN_OR_EQUALS l IN_RANGE l BELONGS_TO NOT_BELONGS_TO l Day l List (Example: Role) l l l l l l l l Group (Example: Calling-Station-Id, NAS-IPAddress) l l EQUALS NOT_EQUALS MATCHES_ALL NOT_MATCHES_ALL MATCHES_ANY NOT_MATCHES_ANY MATCHES_EXACT NOT_MATCHES_EXACT BELONGS_TO_GROUP NOT_BELONGS_TO_GROUP and all string data types The
Operator Description For string data type, true if the run-time value of the attribute matches a set of configured string values. E.g., RADIUS:IETF:Service-Type BELONGS_TO LoginUser,Framed-User,Authenticate-Only BELONGS_TO For integer data type, true if the run-time value of the attribute matches a set of configured integer values. E.g., RADIUS:IETF:NAS-Port BELONGS_TO 1,2,3 For day data type, true if run-time value of the attribute matches a set of configured days of the week. E.g.
Operator Description GREATER_THAN_OR_EQUALS For integer, time and date data types, true if the run-time value of the attribute is greater than or equal to the configured value. E.g., RADIUS:IETF:NAS-Port GREATER_THAN_OR_EQUALS 10 IN_RANGE For time and date data types, true if the run-time value of the attribute is less than or equal to the first configured value and less than equal to the second configured value. E.g.
Appendix C Error Codes, SNMP Traps, and System Events This appendix contains listings of Dell Networking W-ClearPass Policy Manager error codes, SNMP traps, and important system events. l "Error Codes" on page 461 l "SNMP Trap Details" on page 464 l "Important System Events" on page 474 Error Codes The following table shows the CPPM error codes.
Table 316: CPPM Error Codes (Continued) Code Description Type 211 Client certificate not valid Authentication failure 212 Client certificate has expired Authentication failure 213 Certificate comparison failed Authentication failure 214 No certificate in authentication source Authentication failure 215 TLS session error Authentication failure 216 User authentication failed Authentication failure 217 Search failed due to insufficient permissions Authentication failure 218 Authenticat
Table 316: CPPM Error Codes (Continued) Code Description Type 5009 Request - No MAC address record found Command and Control 6001 Unsupported TACACS parameter in request TACACS Protocol 6002 Invalid sequence number TACACS Protocol 6003 Sequence number overflow TACACS Protocol 6101 Not enough inputs to perform authentication TACACS Authentication 6102 Authentication privilege level mismatch TACACS Authentication 6103 No enforcement profiles matched to perform authentication TACACS Auth
Table 316: CPPM Error Codes (Continued) Code Description Type 9009 Unknown Phase2 PAC RADIUS Protocol 9010 Invalid Phase2 PAC RADIUS Protocol 9011 PAC verification failed RADIUS Protocol 9012 PAC binding failed RADIUS Protocol 9013 Session resumption failed RADIUS Protocol 9014 Cached session data error RADIUS Protocol 9015 Client does not support configured EAP methods RADIUS Protocol 9016 Client did not send Cryptobinding TLV RADIUS Protocol 9017 Failed to contact OCSP Server
.1.3.6.1.4.1.2021.8.1.2.X ==> Process Name .1.3.6.1.4.1.2021.2.1.101.X ==> Process Status Message Network Interface up and Down Events OIDs: .1.3.6.1.6.3.1.1.5.3 ==> Link Down .1.3.6.1.6.3.1.1.5.4 ==> Link Up Disk Utilization Threshold Exceed Events OIDs: .1.3.6.1.4.1.2021.9.1.100.1 ==> Error flag for disk partition .1.3.6.1.4.1.2021.9.1.2.1 ==> Name of the partition CPU Load Average Exceed Events for 1, 5, and 15 Minute Thresholds OIDs .1.3.6.1.4.1.2021.9.1.100.1 ==> Error flag for disk partition .1.3.
.1.3.6.1.2.1.88.2.1.1.0: extTable .1.3.6.1.2.1.88.2.1.2.0: .1.3.6.1.2.1.88.2.1.3.0: .1.3.6.1.2.1.88.2.1.4.0: .1.3.6.1.4.1.2021.8.1.100.5 .1.3.6.1.2.1.88.2.1.5.0: 0 .1.3.6.1.4.1.2021.8.1.2.5: cpass-radius-server .1.3.6.1.4.1.2021.8.1.101.5: Radius server [ cpass-radius-server ] is running 2 (a) Admin Server stop SNMP trap snmpTrapOID: .1.3.6.1.2.1.88.2.0.2 .1.3.6.1.2.1.88.2.1.1.0: extTable .1.3.6.1.2.1.88.2.1.2.0: .1.3.6.1.2.1.88.2.1.3.0: .1.3.6.1.2.1.88.2.1.4.0: .1.3.6.1.4.1.2021.8.1.100.1 .1.3.6.1.2.1.88.
.1.3.6.1.2.1.88.2.1.1.0: extTable .1.3.6.1.2.1.88.2.1.2.0: .1.3.6.1.2.1.88.2.1.3.0: .1.3.6.1.2.1.88.2.1.4.0: .1.3.6.1.4.1.2021.8.1.100.2 .1.3.6.1.2.1.88.2.1.5.0: 0 .1.3.6.1.4.1.2021.8.1.2.2: cpass-system-auxiliary-server .1.3.6.1.4.1.2021.8.1.101.2: System auxiliary service [ cpass-system-auxiliary-server ] is running 4 (a) Policy server stop SNMP trap snmpTrapOID: .1.3.6.1.2.1.88.2.0.2 .1.3.6.1.2.1.88.2.1.1.0: extTable .1.3.6.1.2.1.88.2.1.2.0: .1.3.6.1.2.1.88.2.1.3.0: .1.3.6.1.2.1.88.2.1.4.0: .1.3.6.1.4.
.1.3.6.1.2.1.88.2.1.1.0: extTable .1.3.6.1.2.1.88.2.1.2.0: .1.3.6.1.2.1.88.2.1.3.0: .1.3.6.1.2.1.88.2.1.4.0: .1.3.6.1.4.1.2021.8.1.100.6 .1.3.6.1.2.1.88.2.1.5.0: 0 .1.3.6.1.4.1.2021.8.1.2.6: cpass-dbwrite-server .1.3.6.1.4.1.2021.8.1.101.6: Async DB write service [ cpass-dbwrite-server ] is running 6 (a) DB replication service stop SNMP trap snmpTrapOID: .1.3.6.1.2.1.88.2.0.2 .1.3.6.1.2.1.88.2.1.1.0: extTable .1.3.6.1.2.1.88.2.1.2.0: .1.3.6.1.2.1.88.2.1.3.0: .1.3.6.1.2.1.88.2.1.4.0: .1.3.6.1.4.1.2021.8.1.
.1.3.6.1.2.1.88.2.1.1.0: extTable .1.3.6.1.2.1.88.2.1.2.0: .1.3.6.1.2.1.88.2.1.3.0: .1.3.6.1.2.1.88.2.1.4.0: .1.3.6.1.4.1.2021.8.1.100.8 .1.3.6.1.2.1.88.2.1.5.0: 0 .1.3.6.1.4.1.2021.8.1.2.8: cpass-dbcn-server .1.3.6.1.4.1.2021.8.1.101.8: DB change notification server [ cpass-dbcn-server ] is running 8 (a) Async netd service stop SNMP trap snmpTrapOID: .1.3.6.1.2.1.88.2.0.2 .1.3.6.1.2.1.88.2.1.1.0: extTable .1.3.6.1.2.1.88.2.1.2.0: .1.3.6.1.2.1.88.2.1.3.0: .1.3.6.1.2.1.88.2.1.4.0: .1.3.6.1.4.1.2021.8.1.100.
.1.3.6.1.2.1.88.2.1.1.0: extTable .1.3.6.1.2.1.88.2.1.2.0: .1.3.6.1.2.1.88.2.1.3.0: .1.3.6.1.2.1.88.2.1.4.0: .1.3.6.1.4.1.2021.8.1.100.10 .1.3.6.1.2.1.88.2.1.5.0: 0 .1.3.6.1.4.1.2021.8.1.2.10: cpass-multi-master-cache-server .1.3.6.1.4.1.2021.8.1.101.10: Multi-master cache [ cpass-multi-master-cache-server ] is running 10 (a) AirGroup Notification service stop SNMP trap snmpTrapOID: .1.3.6.1.2.1.88.2.0.2 .1.3.6.1.2.1.88.2.1.1.0: extTable .1.3.6.1.2.1.88.2.1.2.0: .1.3.6.1.2.1.88.2.1.3.0: .1.3.6.1.2.1.88.2.
.1.3.6.1.2.1.88.2.1.1.0: extTable .1.3.6.1.2.1.88.2.1.2.0: .1.3.6.1.2.1.88.2.1.3.0: .1.3.6.1.2.1.88.2.1.4.0: .1.3.6.1.4.1.2021.8.1.100.12 .1.3.6.1.2.1.88.2.1.5.0: 0 .1.3.6.1.4.1.2021.8.1.2.12: fias_server .1.3.6.1.4.1.2021.8.1.101.12: Micros Fidelio FIAS [ fias_server ] is running 12 (a) TACACS server stop SNMP trap snmpTrapOID: .1.3.6.1.2.1.88.2.0.2 .1.3.6.1.2.1.88.2.1.1.0: extTable .1.3.6.1.2.1.88.2.1.2.0: .1.3.6.1.2.1.88.2.1.3.0: .1.3.6.1.2.1.88.2.1.4.0: .1.3.6.1.4.1.2021.8.1.100.4 .1.3.6.1.2.1.88.2.1.
.1.3.6.1.2.1.88.2.1.1.0: extTable .1.3.6.1.2.1.88.2.1.2.0: .1.3.6.1.2.1.88.2.1.3.0: .1.3.6.1.2.1.88.2.1.4.0: .1.3.6.1.4.1.2021.8.1.100.13 .1.3.6.1.2.1.88.2.1.5.0: 0 .1.3.6.1.4.1.2021.8.1.2.13: cpass-vip-service .1.3.6.1.4.1.2021.8.1.101.13: ClearPass Virtual IP service [ cpass-vip-service ] is running 14 (a) Stats Collection service stop SNMP trap snmpTrapOID: .1.3.6.1.2.1.88.2.0.2 .1.3.6.1.2.1.88.2.1.1.0: extTable .1.3.6.1.2.1.88.2.1.2.0 .1.3.6.1.2.1.88.2.1.3.0 .1.3.6.1.2.1.88.2.1.4.0: .1.3.6.1.4.1.2021.
.1.3.6.1.2.1.88.2.1.1.0: extTable .1.3.6.1.2.1.88.2.1.2.0 .1.3.6.1.2.1.88.2.1.3.0 .1.3.6.1.2.1.88.2.1.4.0: .1.3.6.1.4.1.2021.8.1.100.14 .1.3.6.1.2.1.88.2.1.5.0: 0 .1.3.6.1.4.1.2021.8.1.2.14: cpass-carbon-server .1.3.6.1.4.1.2021.8.1.101.14: Stats aggregation service [ cpass-carbon-server ] is running. Network Interface Status Traps .1.3.6.1.6.3.1.1.5.3 ==> Indicates the linkdown trap with the 'ifAdminStatus' and 'ifOperStatus' values set to 2. .1.3.6.1.6.3.1.1.5.
.1.3.6.1.4.1.2021.10.1.100.2 ==> Error flag on the CPU load-5 average. Value of 1 indicates the load-5 has crossed its threshold and 0 indicates otherwise. .1.3.6.1.4.1.2021.10.1.2.2 ==> Name of CPU load-5 average Figure 433: CPU load-5 average example .1.3.6.1.4.1.2021.10.1.100.3 ==> Error flag on the CPU load-15 average. Value of 1 indicates the load-15 has crossed its threshold and 0 indicates otherwise. .1.3.6.1.4.1.2021.10.1.2.3 ==> Name of CPU load-15 average.
"Admin UI", “INFO” “Email Successful”, “Sending email succeeded” "Admin UI", “INFO” “SMS Successful”, “Sending SMS succeeded” Admin Server Events Info Events “Admin server”, “INFO”, “Performed action start on Admin server” Async Service Events Info Events “Async DB write service”, “INFO”, “Performed action start on Async DB write service” “Multi-master cache”, “INFO”, “Performed action start on Multi-master cache” “Async netd service”, “INFO”, “Performed action start on Async netd service” ClearPass/Doma
“timezone”, “INFO”, “configuration”, “” “datetime”, “INFO”, “configuration”, “Successfully changed system datetime.\nOld time was ” ClearPass Update Events Critical Events “Install Update”, “ERROR”, “Installing Update”, “File: ”, “Failed with exit status - ” “ClearPass Firmware Update Checker”, “ERROR”, “Firmware Update Checker”, “No subscription ID was supplied.
Policy Server Events Info Events “Policy Server”, “INFO”, “Performed action start on Policy server” “Policy Server”, “INFO”, “Performed action stop on Policy server” RADIUS/TACACS+ Server Events Critical Events “TACACSServer”, “ERROR”, “Request”, “Nad Ip= not configured” “RADIUS”, “WARN”, “Authentication”, “Ignoring request from unknown client :” “RADIUS”, “ERROR”, “Authentication”, “Received packet from with invalid Message-Authenticator! (Shared secret is incorrect.
System Monitor Events Critical Events “Sysmon”, “ERROR”, “System”, “System is running with low memory. Available memory = %” “Sysmon”, “ERROR”, “System”, “System is running with low disk space. Available disk space = %” “System TimeCheck”, “WARN”, “Restart Services”, “Restarting CPPM services as the system detected time drift.
Appendix D Use Cases This appendix contains several specific Dell Networking W-ClearPass Policy Manager use cases. Each one explains what it is typically used for, and then describes how to configure Policy Manager for that use case. l "802.1X Wireless Use Case" on page 479 l "Web Based Authentication Use Case" on page 485 l "MAC Authentication Use Case" on page 492 l "TACACS+ Use Case" on page 495 l "Single Port Use Case" on page 497 802.
column) at each step. Below the table, we call attention to any fields or functions that may not have an immediately obvious meaning. Policy Manager ships with fourteen preconfigured Services. In this Use Case, you select a Service that supports 802.1X wireless requests. Table 317: 802.1X - Create Service Navigation and Settings Navigation Settings Create a new Service: Services > l Add Service (link) > l Name the Service and select a preconfigured Service Type: l Service (tab) > l Type (selector): 802.
Table 318: Configure Authentication Navigation and Settings Navigation Settings Select an Authentication Method and an Active Directory server (that you have already configured in Policy Manager): l Authentication (tab) > l Methods (Select a method from the drop-down list) l Add > l Sources (Select drop-down list): [Local User Repository] [Local SQL DB] [Guest User Repository] [Local SQL DB] [Guest Device Repository] [Local SQL DB] [Endpoints Repository] [Local SQL DB] [Onboard Devices Repository] [Local
Table 319: 02.1X - Configure Authorization Navigation and Settings Navigation l l Settings Configure Service level authorization source. In this use case there is nothing to configure. Click the Next button. Upon completion, click Next (to Role Mapping). 4. Apply a Role Mapping Policy. Policy Manager tests client identity against role-mapping rules, appending any match (multiple roles acceptable) to the request for use by the Enforcement Policy.
Table 320: Role Mapping Navigation and Settings (Continued) Navigation Settings Create rules to map client identity to a Role: l Mapping Rules (tab) > l Rules Evaluation Algorithm (radio button): Select all matches > l Add Rule (button opens popup) > l Add Rule (button) > l Rules Editor (popup) > l Conditions/ Actions: match Conditions to Actions (drop-down list) > l Upon completion of each rule, click the Save button ( in the Rules Editor) > l When you are finished working in the Mapping Rules tab, clic
Table 321: Posture Navigation and Settings Navigation Setting Add a new Posture Server: Posture (tab) > l Add new Posture Server (button) > l Configure Posture settings: Posture Server (tab) > l Name (freeform): PS_NPS l Server Type (radio button): Microsoft NPS l Default Posture Token (selector): UNKOWN l Next (to Primary Server) l Configure connection settings: Primary/ Backup Server (tabs): Enter connection information for the RADIUS posture server.
Table 322: Enforcement Policy Navigation and Settings Navigation Setting Configure the Enforcement Policy: l Enforcement (tab) > l Enforcement Policy (selector): Role_Based_ Allow_Access_ Policy For instructions about how to build such an Enforcement Policy, refer to "Configuring Enforcement Policies" on page 277. 7. Save the Service. Click Save. The Service now appears at the bottom of the Services list. Web Based Authentication Use Case This Service supports known Guests with inadequate 802.
Figure 436: Flow-of-Control of Web-Based Authentication for Guests Configuring the Service Perform the following steps to configure Policy Manager for WebAuth-based Guest access. 1. Prepare the switch to pre-process WebAuth requests for the Policy Manager Dell WebAuth service. Refer to your Network Access Device documentation to configure the switch such that it redirects HTTP requests to the Dell Guest Portal, which captures username and password and optionally launches an agent that returns posture data.
Table 323: Service Navigation and Settings (Continued) Navigation Settings Name the Service and select a pre-configured Service Type: l Service (tab) > l Type (selector): Dell Web-Based Authentication > l Name/Description (freeform) > l Upon completion, click Next. 3. Set up the Authentication. a. Method: The Policy Manager WebAuth service authenticates WebAuth clients internally. b. Source: Administrators typically configure Guest Users in the local Policy Manager database. 4.
Table 324: Local Policy Manager Database Navigation and Settings Navigation Settings Select the local Policy Manager database: l Authentication (tab) > l Sources (Select drop-down list): [Local User Repository] > l Add > l Strip Username Rules (check box) > l Enter an example of preceding or following separators (if any), with the phrase “user” representing the username to be returned. For authentication, Policy Manager strips the specified separators and any paths or domains beyond them.
Table 325: Posture Policy Navigation and Settings (Continued) Navigation Setting Name the Posture Policy and specify a general class of operating system: l Policy (tab) > l Policy Name (freeform): IPP_ UNIVERSAL > l Host Operating System (radio buttons): Windows > l When finished working in the Policy tab, click Next to open the Posture Plugins tab Select a Validator: Posture Plugins (tab) > l Enable Windows Health System Validator > l Configure (button) > l Dell Networking W-ClearPass Policy Manager 6.
Table 325: Posture Policy Navigation and Settings (Continued) Navigation Setting Configure the Validator: l Windows System Health Validator (popup) > l Enable all Windows operating systems (check box) > l Enable Service Pack levels for Windows 7, Windows Vista®, Windows XP Windows Server® 2008, Windows Server 2008 R2, and Windows Server 2003 (check boxes) > l Save (button) > l When finished working in the Posture Plugin tab click Next to move to the Rules tab) 490 | Use Cases Dell Networking W-ClearPass
Table 325: Posture Policy Navigation and Settings (Continued) Navigation Setting Set rules to correlate validation results with posture tokens: l Rules (tab) > l Add Rule (button opens popup) > l Rules Editor (popup) > l Conditions/ Actions: match Conditions (Select Plugin/ Select Plugin checks) to Actions (Posture Token)> l In the Rules Editor, upon completion of each rule, click the Save button > l When finished working in the Rules tab, click the Next button.
The SNMP_POLICY selected in this step provides full guest access to a Role of [Guest] with a Posture of Healthy, and limited guest access. Table 326: Enforcement Policy Navigation and Settings Navigation Setting Add a new Enforcement Policy: l Enforcement (tab) > l Enforcement Policy (selector): SNMP_ POLICY l Upon completion, click Save. 6. Save the Service. Click Save. The Service now appears at the bottom of the Services list.
Figure 437: Flow-of-Control of MAC Authentication for Network Devices Configuring the Service Follow these steps to configure Policy Manager for MAC-based Network Device access. 1. Create a MAC Authentication Service. Table 327: MAC Authentication Service Navigation and Settings Navigation Settings Create a new Service: l Services > l Add Service (link) > Dell Networking W-ClearPass Policy Manager 6.
Table 327: MAC Authentication Service Navigation and Settings (Continued) Navigation Settings Name the Service and select a pre-configured Service Type: l Service (tab) > l Type (selector): MAC Authentication > l Name/Description (freeform) > l Upon completion, click Next to configure Authentication 2. Set up Authentication. You can select any type of authentication/authorization source for a MAC Authentication service.
Table 329: Audit Server Navigation and Settings Navigation Settings Configure the Audit Server: l Audit (tab) > l Audit End Hosts (enable) > l Audit Server (selector): NMAP l Trigger Conditions (radio button): For MAC authentication requests l Reauthenticate client (check box): Enable Upon completion of the audit, Policy Manager caches Role (NMAP and NESSUS) and Posture (NESSUS), then resets the connection (or the switch reauthenticates after a short session timeout), triggering a new request, which foll
Figure 438: Administrator connections to Network Access Devices via TACACS+ Configuring the Service Perform the following steps to configure Policy Manager for TACACS+-based access: 1. Create a TACACS+ Service.
b. Source: For purposes of this use case, Network Access Devices authentication data will be stored in the Active Directory. Table 332: Active Directory Navigation and Settings Navigation Settings Select an Active Directory server (that you have already configured in Policy Manager): l Authentication (tab) > l Add > l Sources (Select drop-down list): AD (Active Directory) > l Add > l Upon completion, click Next (to Enforcement Policy) 3. Select an Enforcement Policy.
Figure 439: Flow of the Multiple Protocol Per Port Case Appendix D Supported Browsers and Java Versions The table below provides a list of supported browsers and java versions for the OnGuard Dissolvable Agent. These versions were tested in house and are current as of the time of this release. Table 334: Supported Browsers and Java Versions Operating System Browser Java Version Windows XP SP3 Firefox 26.x Java plugin 10.45.2.18 or JRE-1.7_Update 45-b18 Java hotspot( Windows XP SP3 IE 8.0.
Table 334: Supported Browsers and Java Versions (Continued) Operating System Browser Java Version Windows XP SP3 Chrome 31.0.1650.63 Java plugin 10.45.2.18 or JRE-1.7_Update 45-b18 Windows 7 32-bit Chrome 29.x Java plugin 10.25.2.17 or JRE-1.7_Update25-b17 Windows 7 32-bit IE 8.0.7600 Java plugin 10.45.2.18 or JRE-1.7_45-b18 Windows 7 32-bit Firefox 26.x Java plugin 10.45.2.18 or JRE-1.7_45-b18 Windows 7 64-bit Chrome 29.x Java plugin 10.25.2.16 or JRE-1.
Table 334: Supported Browsers and Java Versions (Continued) Operating System Browser Java Version Known Issues Windows 2008 R2 64-bit IE 10.0.x Java 10.5.0.-06 or JRE_1.7Update05-b06 Cannot view health scan of endpoints. Windows 2008 R2 64-bit Firefox 26.x Java plugin 10.5.0.06 or JRE-1.7_Update05_b06 Windows 2003 Firefox 11.x Java plugin 10.45.2.18 or JRE-1.7_Update45-b18 Mac 10.9 Firefox 26.x Java plugin 10.45.2.18 or JRE-1.7_Update45-b18 Mac 10.9 Chrome 29.0.